From 069683407ca9a820d05c914b57c587bcd3f16a3a Mon Sep 17 00:00:00 2001 From: David Dai Date: Fri, 5 Aug 2016 15:14:25 -0700 Subject: msm: msm_bus: limit max chars read by sscanf Current bus_floor_vote_store_api does not limit/check the size of the string in input, allowing stack overflow. Specify the max number of characters read allowable to the size of destination buffer. CRs-Fixed: 1050455 Change-Id: Ia9227480be6ea4f3ade71f5675f95a3efd9fcf99 Signed-off-by: David Dai --- drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c index e4c8f1f..a876484 100644 --- a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c +++ b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved. * * This program is Mree software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -133,7 +133,7 @@ static ssize_t bus_floor_vote_store_api(struct device *dev, return 0; } - if (sscanf(buf, "%s %llu", name, &vote_khz) != 2) { + if (sscanf(buf, "%9s %llu", name, &vote_khz) != 2) { pr_err("%s:return error", __func__); return -EINVAL; } -- cgit v1.1