summaryrefslogtreecommitdiff
path: root/drivers/power/max17042_battery.c
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2012-03-15 14:37:32 +0300
committerAnton Vorontsov <anton.vorontsov@linaro.org>2012-05-04 19:24:48 -0700
commit1ef3d8fb4deb77ee020b246d217dd4dfb28d88d5 (patch)
tree13613ae086b2270373532db8490e011c7a0eb259 /drivers/power/max17042_battery.c
parent69964ea4c7b68c9399f7977aa5b9aa6539a6a98a (diff)
downloadlwn-1ef3d8fb4deb77ee020b246d217dd4dfb28d88d5.tar.gz
lwn-1ef3d8fb4deb77ee020b246d217dd4dfb28d88d5.zip
max17042_battery: Fix a couple buffer overflows
There are a couple issues here caused by confusion between sizeof() and ARRAY_SIZE(). "table_size" should be the number of elements, but we should allocate it with kcalloc() so that we allocate the correct number of bytes. In max17042_init_model() we don't allocate enough space so we go past the end of the array in max17042_read_model_data() and max17042_model_data_compare(). In max17042_verify_model_lock() we allocate the right amount of space but we call max17042_read_model_data() with the wrong number of elements and also in the for loop we go past the end of the array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Dirk Brandewie <dirk.brandewie@gmail.com> Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
Diffstat (limited to 'drivers/power/max17042_battery.c')
-rw-r--r--drivers/power/max17042_battery.c10
1 files changed, 4 insertions, 6 deletions
diff --git a/drivers/power/max17042_battery.c b/drivers/power/max17042_battery.c
index 04620c2cb388..39dd610994ac 100644
--- a/drivers/power/max17042_battery.c
+++ b/drivers/power/max17042_battery.c
@@ -325,11 +325,10 @@ static inline int max17042_model_data_compare(struct max17042_chip *chip,
static int max17042_init_model(struct max17042_chip *chip)
{
int ret;
- int table_size =
- sizeof(chip->pdata->config_data->cell_char_tbl)/sizeof(u16);
+ int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
u16 *temp_data;
- temp_data = kzalloc(table_size, GFP_KERNEL);
+ temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
if (!temp_data)
return -ENOMEM;
@@ -354,12 +353,11 @@ static int max17042_init_model(struct max17042_chip *chip)
static int max17042_verify_model_lock(struct max17042_chip *chip)
{
int i;
- int table_size =
- sizeof(chip->pdata->config_data->cell_char_tbl);
+ int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
u16 *temp_data;
int ret = 0;
- temp_data = kzalloc(table_size, GFP_KERNEL);
+ temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
if (!temp_data)
return -ENOMEM;