panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
authorXi Wang <xi.wang@gmail.com>
Thu, 29 Dec 2011 04:49:06 +0000 (23:49 -0500)
committerMatthew Garrett <mjg@redhat.com>
Mon, 12 Mar 2012 14:25:51 +0000 (10:25 -0400)
num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL
on error.  Then it could bypass the sanity check (num_sifr > 255).
The subsequent call to kzalloc() would allocate a small buffer, leading
to a memory corruption.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
drivers/platform/x86/panasonic-laptop.c

index 05be30ee158b54e4e7a3d8344b2476c62fef6c78..ffff8b4b4949502dbc56997f873594da7314b4b4 100644 (file)
@@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
 
        num_sifr = acpi_pcc_get_sqty(device);
 
-       if (num_sifr > 255) {
-               ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large"));
+       if (num_sifr < 0 || num_sifr > 255) {
+               ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));
                return -ENODEV;
        }