From 674a59bceb4244dbf56c364bc490df478d2286ca Mon Sep 17 00:00:00 2001 From: Subbaraman Narayanamurthy Date: Thu, 13 Oct 2016 19:16:27 -0700 Subject: [PATCH] fg-util: fix a possible buffer overflow If the string passed is of a huge size, then bytes_read can be higher and can overflow "pos" to a small value. This can cause a potential buffer overflow when "pos" is used again in sscanf. Fix this by validating bytes_read before it is used. CRs-Fixed: 1077693 Change-Id: I59d4472b49b67f481992867a34e6779a4589d035 Signed-off-by: Subbaraman Narayanamurthy --- drivers/power/qcom-charger/fg-util.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/power/qcom-charger/fg-util.c b/drivers/power/qcom-charger/fg-util.c index bbdbe48896d7..0e3c7dbb5731 100644 --- a/drivers/power/qcom-charger/fg-util.c +++ b/drivers/power/qcom-charger/fg-util.c @@ -621,6 +621,17 @@ static ssize_t fg_sram_dfs_reg_write(struct file *file, const char __user *buf, /* Parse the data in the buffer. It should be a string of numbers */ while ((pos < count) && sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) { + /* + * We shouldn't be receiving a string of characters that + * exceeds a size of 5 to keep this functionally correct. + * Also, we should make sure that pos never gets overflowed + * beyond the limit. + */ + if (bytes_read > 5 || bytes_read > INT_MAX - pos) { + cnt = 0; + ret = -EINVAL; + break; + } pos += bytes_read; values[cnt++] = data & 0xff; }