Commit 8a462905 authored by Yiyuan Guo's avatar Yiyuan Guo Committed by Jonathan Cameron

iio: cros_ec: Fix the allocation size for cros_ec_command

The struct cros_ec_command contains several integer fields and a
trailing array. An allocation size neglecting the integer fields can
lead to buffer overrun.
Reviewed-by: default avatarTzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: default avatarYiyuan Guo <yguoaz@gmail.com>
Fixes: 974e6f02 ("iio: cros_ec_sensors_core: Add common functions for the ChromeOS EC Sensor Hub.")
Link: https://lore.kernel.org/r/20230630143719.1513906-1-yguoaz@gmail.com
Cc: <Stable@vger.kerenl.org>
Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
parent 6811694e
...@@ -253,7 +253,7 @@ int cros_ec_sensors_core_init(struct platform_device *pdev, ...@@ -253,7 +253,7 @@ int cros_ec_sensors_core_init(struct platform_device *pdev,
platform_set_drvdata(pdev, indio_dev); platform_set_drvdata(pdev, indio_dev);
state->ec = ec->ec_dev; state->ec = ec->ec_dev;
state->msg = devm_kzalloc(&pdev->dev, state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) +
max((u16)sizeof(struct ec_params_motion_sense), max((u16)sizeof(struct ec_params_motion_sense),
state->ec->max_response), GFP_KERNEL); state->ec->max_response), GFP_KERNEL);
if (!state->msg) if (!state->msg)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment