From d61e441be126e6d92fa18c3c3029ee5632ea118f Mon Sep 17 00:00:00 2001 From: Vasiliy Kulikov Date: Wed, 12 Jan 2011 16:59:14 -0800 Subject: [PATCH] drivers/leds/leds-lp5521.c: fix potential buffer overflow The code doesn't check first sscanf() return value. If first sscanf() failed then c contains some garbage. It might lead to reading uninitialised stack data in the second sscanf() call. Signed-off-by: Vasiliy Kulikov Cc: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/leds/leds-lp5521.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/leds/leds-lp5521.c b/drivers/leds/leds-lp5521.c index 33facd0c45d10..e881a75dc39db 100644 --- a/drivers/leds/leds-lp5521.c +++ b/drivers/leds/leds-lp5521.c @@ -373,6 +373,8 @@ static int lp5521_do_store_load(struct lp5521_engine *engine, while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { /* separate sscanfs because length is working only for %s */ ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); + if (ret != 2) + goto fail; ret = sscanf(c, "%2x", &cmd); if (ret != 1) goto fail; -- 2.39.5