msm: msm_bus: limit max chars read by sscanf Current bus_floor_vote_store_api does not limit/check the size of the string in input, allowing stack overflow. Specify the max number of characters read allowable to the size of destination buffer. CRs-Fixed: 1050455 Change-Id: Ia9227480be6ea4f3ade71f5675f95a3efd9fcf99 Signed-off-by: David Dai <daidavid1@codeaurora.org>

commit: da2250588792b124fa53eca288fd2ed5ebce2fbf [log] [tgz]
author: David Dai <daidavid1@codeaurora.org> Fri Aug 05 15:14:25 2016 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> Wed Jul 26 16:16:35 2017 -0700
tree: 93a15b6f32f763814d058237302e36b9909ddae3
parent: 70be28c9d8067d077f5975c64216ee274e37510f [diff]
diff --git a/drivers/soc/qcom/msm_bus/msm_bus_dbg_voter.c b/drivers/soc/qcom/msm_bus/msm_bus_dbg_voter.c
index 3f8b52c..6c69bec 100644
--- a/drivers/soc/qcom/msm_bus/msm_bus_dbg_voter.c
+++ b/drivers/soc/qcom/msm_bus/msm_bus_dbg_voter.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -133,7 +133,7 @@
 		return 0;
 	}
 
-	if (sscanf(buf, "%s %llu", name, &vote_khz) != 2) {
+	if (sscanf(buf, "%9s %llu", name, &vote_khz) != 2) {
 		pr_err("%s:return error", __func__);
 		return -EINVAL;
 	}
commit	da2250588792b124fa53eca288fd2ed5ebce2fbf	[log] [tgz]
author	David Dai <daidavid1@codeaurora.org>	Fri Aug 05 15:14:25 2016 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Wed Jul 26 16:16:35 2017 -0700
tree	93a15b6f32f763814d058237302e36b9909ddae3
parent	70be28c9d8067d077f5975c64216ee274e37510f [diff]