Merge "fg-util: fix a possible buffer overflow"

author: Linux Build Service Account <lnxbuild@localhost> 2016-10-20 18:37:46 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2016-10-20 18:37:46 -0700
commit: fd45ca9c59a58f6690cb91d965ade7a2e42389e9 (patch)
tree: dce048e48ac95dda773537c82b15546f0795038c /drivers/power
parent: cc0c20f3fa7cd33e5c7f0c673b65005c637ce2fe (diff)
parent: 674a59bceb4244dbf56c364bc490df478d2286ca (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/power/qcom-charger/fg-util.c b/drivers/power/qcom-charger/fg-util.c
index bbdbe48896d7..0e3c7dbb5731 100644
--- a/drivers/power/qcom-charger/fg-util.c
+++ b/drivers/power/qcom-charger/fg-util.c
@@ -621,6 +621,17 @@ static ssize_t fg_sram_dfs_reg_write(struct file *file, const char __user *buf,
 	/* Parse the data in the buffer.  It should be a string of numbers */
 	while ((pos < count) &&
 		sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {
+		/*
+		 * We shouldn't be receiving a string of characters that
+		 * exceeds a size of 5 to keep this functionally correct.
+		 * Also, we should make sure that pos never gets overflowed
+		 * beyond the limit.
+		 */
+		if (bytes_read > 5 || bytes_read > INT_MAX - pos) {
+			cnt = 0;
+			ret = -EINVAL;
+			break;
+		}
 		pos += bytes_read;
 		values[cnt++] = data & 0xff;
 	}
author	Linux Build Service Account <lnxbuild@localhost>	2016-10-20 18:37:46 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2016-10-20 18:37:46 -0700
commit	fd45ca9c59a58f6690cb91d965ade7a2e42389e9 (patch)
tree	dce048e48ac95dda773537c82b15546f0795038c /drivers/power
parent	cc0c20f3fa7cd33e5c7f0c673b65005c637ce2fe (diff)
parent	674a59bceb4244dbf56c364bc490df478d2286ca (diff)