Skip to content

Commit

Permalink
panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
Browse files Browse the repository at this point in the history 
num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL
on error.  Then it could bypass the sanity check (num_sifr > 255).
The subsequent call to kzalloc() would allocate a small buffer, leading
to a memory corruption.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
  • Loading branch information
Xi Wang authored and Matthew Garrett committed Mar 12, 2012
1 parent 461e743 commit e424fb8
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions drivers/platform/x86/panasonic-laptop.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)

num_sifr = acpi_pcc_get_sqty(device);

if (num_sifr > 255) {
ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large"));
if (num_sifr < 0 || num_sifr > 255) {
ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));
return -ENODEV;
}

Expand Down

0 comments on commit e424fb8

Please sign in to comment.