PARISC: led.c - fix potential stack overflow in led_proc_write()

commit 4b4fd27c0b5ec638a1f06ced9226fd95229dbbf0 upstream. avoid potential stack overflow by correctly checking count parameter Reported-by: Ilja <ilja@netric.org> Signed-off-by: Helge Deller <deller@gmx.de> Acked-by: Kyle McMartin <kyle@mcmartin.ca> Cc: James E.J. Bottomley <jejb@parisc-linux.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Helge Deller <deller@gmx.de> 2010-08-02 22:46:41 +0200
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-08-10 09:52:55 -0700
commit: cf32802d7620d7f0e7b1c360cdd5821f2d10a3b0 (patch)
tree: d75f374046b6a1f0b2f268829b96c1d428bdff78 /drivers
parent: 74225fccbb2c3177cf306bdd1e5cd3357cc457bd (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/parisc/led.c b/drivers/parisc/led.c
index f9b12664f9f..299b4e6e95a 100644
--- a/drivers/parisc/led.c
+++ b/drivers/parisc/led.c
@@ -182,16 +182,18 @@ static int led_proc_read(char *page, char **start, off_t off, int count,
 static int led_proc_write(struct file *file, const char *buf, 
 	unsigned long count, void *data)
 {
-	char *cur, lbuf[count + 1];
+	char *cur, lbuf[32];
 	int d;
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EACCES;
 
-	memset(lbuf, 0, count + 1);
+	if (count >= sizeof(lbuf))
+		count = sizeof(lbuf)-1;
 
 	if (copy_from_user(lbuf, buf, count))
 		return -EFAULT;
+	lbuf[count] = 0;
 
 	cur = lbuf;
author	Helge Deller <deller@gmx.de>	2010-08-02 22:46:41 +0200
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-08-10 09:52:55 -0700
commit	cf32802d7620d7f0e7b1c360cdd5821f2d10a3b0 (patch)
tree	d75f374046b6a1f0b2f268829b96c1d428bdff78 /drivers
parent	74225fccbb2c3177cf306bdd1e5cd3357cc457bd (diff)