diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2012-03-15 14:37:32 +0300 |
---|---|---|
committer | Anton Vorontsov <anton.vorontsov@linaro.org> | 2012-05-04 19:24:48 -0700 |
commit | 1ef3d8fb4deb77ee020b246d217dd4dfb28d88d5 (patch) | |
tree | 13613ae086b2270373532db8490e011c7a0eb259 | |
parent | 69964ea4c7b68c9399f7977aa5b9aa6539a6a98a (diff) | |
download | op-kernel-dev-1ef3d8fb4deb77ee020b246d217dd4dfb28d88d5.zip op-kernel-dev-1ef3d8fb4deb77ee020b246d217dd4dfb28d88d5.tar.gz |
max17042_battery: Fix a couple buffer overflows
There are a couple issues here caused by confusion between sizeof()
and ARRAY_SIZE(). "table_size" should be the number of elements, but we
should allocate it with kcalloc() so that we allocate the correct number
of bytes.
In max17042_init_model() we don't allocate enough space so we go past
the end of the array in max17042_read_model_data() and
max17042_model_data_compare().
In max17042_verify_model_lock() we allocate the right amount of space
but we call max17042_read_model_data() with the wrong number of elements
and also in the for loop we go past the end of the array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Dirk Brandewie <dirk.brandewie@gmail.com>
Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
-rw-r--r-- | drivers/power/max17042_battery.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/drivers/power/max17042_battery.c b/drivers/power/max17042_battery.c index 04620c2..39dd610 100644 --- a/drivers/power/max17042_battery.c +++ b/drivers/power/max17042_battery.c @@ -325,11 +325,10 @@ static inline int max17042_model_data_compare(struct max17042_chip *chip, static int max17042_init_model(struct max17042_chip *chip) { int ret; - int table_size = - sizeof(chip->pdata->config_data->cell_char_tbl)/sizeof(u16); + int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl); u16 *temp_data; - temp_data = kzalloc(table_size, GFP_KERNEL); + temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL); if (!temp_data) return -ENOMEM; @@ -354,12 +353,11 @@ static int max17042_init_model(struct max17042_chip *chip) static int max17042_verify_model_lock(struct max17042_chip *chip) { int i; - int table_size = - sizeof(chip->pdata->config_data->cell_char_tbl); + int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl); u16 *temp_data; int ret = 0; - temp_data = kzalloc(table_size, GFP_KERNEL); + temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL); if (!temp_data) return -ENOMEM; |