From 069683407ca9a820d05c914b57c587bcd3f16a3a Mon Sep 17 00:00:00 2001
From: David Dai <daidavid1@codeaurora.org>
Date: Fri, 5 Aug 2016 15:14:25 -0700
Subject: msm: msm_bus: limit max chars read by sscanf

Current bus_floor_vote_store_api does not limit/check
the size of the string in input, allowing stack overflow.
Specify the max number of characters read allowable to
the size of destination buffer.

CRs-Fixed: 1050455
Change-Id: Ia9227480be6ea4f3ade71f5675f95a3efd9fcf99
Signed-off-by: David Dai <daidavid1@codeaurora.org>
---
 drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
index e4c8f1f..a876484 100644
--- a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
+++ b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
  *
  * This program is Mree software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -133,7 +133,7 @@ static ssize_t bus_floor_vote_store_api(struct device *dev,
 		return 0;
 	}
 
-	if (sscanf(buf, "%s %llu", name, &vote_khz) != 2) {
+	if (sscanf(buf, "%9s %llu", name, &vote_khz) != 2) {
 		pr_err("%s:return error", __func__);
 		return -EINVAL;
 	}
-- 
cgit v1.1