evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "fg-util: fix a possible buffer overflow"

Browse source
This commit is contained in:
Linux Build Service Account 2016-10-20 18:37:46 -07:00 committed by Gerrit - the friendly Code Review server
commit fd45ca9c59
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
drivers/power/qcom-charger/fg-util.c
View file

@ -621,6 +621,17 @@ static ssize_t fg_sram_dfs_reg_write(struct file *file, const char __user *buf,
/* Parse the data in the buffer. It should be a string of numbers */ /* Parse the data in the buffer. It should be a string of numbers */
while ((pos < count) && while ((pos < count) &&
sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) { sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {
/*
* We shouldn't be receiving a string of characters that
* exceeds a size of 5 to keep this functionally correct.
* Also, we should make sure that pos never gets overflowed
* beyond the limit.
*/
if (bytes_read > 5 || bytes_read > INT_MAX - pos) {
cnt = 0;
ret = -EINVAL;
break;
}
pos += bytes_read; pos += bytes_read;
values[cnt++] = data & 0xff; values[cnt++] = data & 0xff;
} }