Skip to content

L
linux
Commit 4345ece8 authored by Dan Carpenter's avatar Dan Carpenter Committed by Hans de Goede
Browse files
Options

platform/x86: asus-wmi: Potential buffer overflow in asus_wmi_evaluate_method_buf() 

This code tests for if the obj->buffer.length is larger than the buffer
but then it just does the memcpy() anyway.

Fixes: 0f0ac158 ("platform/x86: asus-wmi: Add support for custom fan curves")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220413073744.GB8812@kiliReviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
parent b2dd71f9
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 2 deletions
drivers/platform/x86/asus-wmi.c
View file @ 4345ece8
......@@ -371,10 +371,14 @@ static int asus_wmi_evaluate_method_buf(u32 method_id,
switch (obj->type) {
case ACPI_TYPE_BUFFER:
if (obj->buffer.length > size)
if (obj->buffer.length > size) {
err = -ENOSPC;
if (obj->buffer.length == 0)
break;
}
if (obj->buffer.length == 0) {
err = -ENODATA;
break;
}
memcpy(ret_buffer, obj->buffer.pointer, obj->buffer.length);
break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7