fg-util: fix a possible buffer overflow

If the string passed is of a huge size, then bytes_read can be higher and can overflow "pos" to a small value. This can cause a potential buffer overflow when "pos" is used again in sscanf. Fix this by validating bytes_read before it is used. CRs-Fixed: 1077693 Change-Id: I59d4472b49b67f481992867a34e6779a4589d035 Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
author: Subbaraman Narayanamurthy <subbaram@codeaurora.org> 2016-10-13 19:16:27 -0700
committer: Subbaraman Narayanamurthy <subbaram@codeaurora.org> 2016-10-17 19:17:37 -0700
commit: 674a59bceb4244dbf56c364bc490df478d2286ca (patch)
tree: d941172efec8ae943132f69c471e9748ec94a918 /drivers/power
parent: e657410985b5d33b0b4e76f08587345e9fb195ce (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/power/qcom-charger/fg-util.c b/drivers/power/qcom-charger/fg-util.c
index bbdbe48896d7..0e3c7dbb5731 100644
--- a/drivers/power/qcom-charger/fg-util.c
+++ b/drivers/power/qcom-charger/fg-util.c
@@ -621,6 +621,17 @@ static ssize_t fg_sram_dfs_reg_write(struct file *file, const char __user *buf,
 	/* Parse the data in the buffer.  It should be a string of numbers */
 	while ((pos < count) &&
 		sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {
+		/*
+		 * We shouldn't be receiving a string of characters that
+		 * exceeds a size of 5 to keep this functionally correct.
+		 * Also, we should make sure that pos never gets overflowed
+		 * beyond the limit.
+		 */
+		if (bytes_read > 5 || bytes_read > INT_MAX - pos) {
+			cnt = 0;
+			ret = -EINVAL;
+			break;
+		}
 		pos += bytes_read;
 		values[cnt++] = data & 0xff;
 	}
author	Subbaraman Narayanamurthy <subbaram@codeaurora.org>	2016-10-13 19:16:27 -0700
committer	Subbaraman Narayanamurthy <subbaram@codeaurora.org>	2016-10-17 19:17:37 -0700
commit	674a59bceb4244dbf56c364bc490df478d2286ca (patch)
tree	d941172efec8ae943132f69c471e9748ec94a918 /drivers/power
parent	e657410985b5d33b0b4e76f08587345e9fb195ce (diff)