diff options
author | Subbaraman Narayanamurthy <subbaram@codeaurora.org> | 2016-10-13 19:16:27 -0700 |
---|---|---|
committer | Subbaraman Narayanamurthy <subbaram@codeaurora.org> | 2016-10-17 19:17:37 -0700 |
commit | 674a59bceb4244dbf56c364bc490df478d2286ca (patch) | |
tree | d941172efec8ae943132f69c471e9748ec94a918 | |
parent | e657410985b5d33b0b4e76f08587345e9fb195ce (diff) |
fg-util: fix a possible buffer overflow
If the string passed is of a huge size, then bytes_read can be
higher and can overflow "pos" to a small value. This can cause
a potential buffer overflow when "pos" is used again in sscanf.
Fix this by validating bytes_read before it is used.
CRs-Fixed: 1077693
Change-Id: I59d4472b49b67f481992867a34e6779a4589d035
Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
-rw-r--r-- | drivers/power/qcom-charger/fg-util.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/power/qcom-charger/fg-util.c b/drivers/power/qcom-charger/fg-util.c index bbdbe48896d7..0e3c7dbb5731 100644 --- a/drivers/power/qcom-charger/fg-util.c +++ b/drivers/power/qcom-charger/fg-util.c @@ -621,6 +621,17 @@ static ssize_t fg_sram_dfs_reg_write(struct file *file, const char __user *buf, /* Parse the data in the buffer. It should be a string of numbers */ while ((pos < count) && sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) { + /* + * We shouldn't be receiving a string of characters that + * exceeds a size of 5 to keep this functionally correct. + * Also, we should make sure that pos never gets overflowed + * beyond the limit. + */ + if (bytes_read > 5 || bytes_read > INT_MAX - pos) { + cnt = 0; + ret = -EINVAL; + break; + } pos += bytes_read; values[cnt++] = data & 0xff; } |