Commit d2833762 authored by Dan Carpenter's avatar Dan Carpenter Committed by Hans de Goede

platform/x86: asus-wmi: Potential buffer overflow in asus_wmi_evaluate_method_buf()

This code tests for if the obj->buffer.length is larger than the buffer
but then it just does the memcpy() anyway.

Fixes: 0f0ac158 ("platform/x86: asus-wmi: Add support for custom fan curves")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220413073744.GB8812@kiliReviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
parent acd51562
...@@ -371,10 +371,14 @@ static int asus_wmi_evaluate_method_buf(u32 method_id, ...@@ -371,10 +371,14 @@ static int asus_wmi_evaluate_method_buf(u32 method_id,
switch (obj->type) { switch (obj->type) {
case ACPI_TYPE_BUFFER: case ACPI_TYPE_BUFFER:
if (obj->buffer.length > size) if (obj->buffer.length > size) {
err = -ENOSPC; err = -ENOSPC;
if (obj->buffer.length == 0) break;
}
if (obj->buffer.length == 0) {
err = -ENODATA; err = -ENODATA;
break;
}
memcpy(ret_buffer, obj->buffer.pointer, obj->buffer.length); memcpy(ret_buffer, obj->buffer.pointer, obj->buffer.length);
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment