panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL on error. Then it could bypass the sanity check (num_sifr > 255). The subsequent call to kzalloc() would allocate a small buffer, leading to a memory corruption. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Matthew Garrett <mjg@redhat.com>
This commit is contained in:
parent
461e74377c
commit
e424fb8cc4
|
@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
|
|||
|
||||
num_sifr = acpi_pcc_get_sqty(device);
|
||||
|
||||
if (num_sifr > 255) {
|
||||
ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large"));
|
||||
if (num_sifr < 0 || num_sifr > 255) {
|
||||
ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user