From: Vasiliy Kulikov Date: Thu, 13 Jan 2011 00:59:14 +0000 (-0800) Subject: drivers/leds/leds-lp5521.c: fix potential buffer overflow X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=2260209c4973e3eeb1e48abaa9e639373a0d4fb7;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git drivers/leds/leds-lp5521.c: fix potential buffer overflow The code doesn't check first sscanf() return value. If first sscanf() failed then c contains some garbage. It might lead to reading uninitialised stack data in the second sscanf() call. Signed-off-by: Vasiliy Kulikov Cc: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/leds/leds-lp5521.c b/drivers/leds/leds-lp5521.c index 33facd0c45d1..e881a75dc39d 100644 --- a/drivers/leds/leds-lp5521.c +++ b/drivers/leds/leds-lp5521.c @@ -373,6 +373,8 @@ static int lp5521_do_store_load(struct lp5521_engine *engine, while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { /* separate sscanfs because length is working only for %s */ ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); + if (ret != 2) + goto fail; ret = sscanf(c, "%2x", &cmd); if (ret != 1) goto fail;