From 4d62691b609cc4e66e15c8e5b2261ddb6785b7ca Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Sat, 8 Aug 2009 11:33:58 +0200 Subject: [PATCH] Staging: dream, fix buf overflow In vfe_send_msg_no_payload there is a wrong struct vfe_message allocation. It allocates only sizeof(pointer to vfe_message) for a whole structure. Add a dereference to the sizeof to allocate sizeof(vfe_message). Signed-off-by: Jiri Slaby Acked-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/staging/dream/camera/msm_vfe8x_proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/dream/camera/msm_vfe8x_proc.c b/drivers/staging/dream/camera/msm_vfe8x_proc.c index bb6501340211..5436f7120018 100644 --- a/drivers/staging/dream/camera/msm_vfe8x_proc.c +++ b/drivers/staging/dream/camera/msm_vfe8x_proc.c @@ -818,7 +818,7 @@ static void vfe_send_msg_no_payload(enum VFE_MESSAGE_ID id) { struct vfe_message *msg; - msg = kzalloc(sizeof(msg), GFP_ATOMIC); + msg = kzalloc(sizeof(*msg), GFP_ATOMIC); if (!msg) return; -- 2.20.1