iio: cros_ec: Fix the allocation size for cros_ec_command

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The struct cros_ec_command contains several integer fields and a
trailing array. An allocation size neglecting the integer fields can
lead to buffer overrun.

Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Yiyuan Guo <yguoaz@gmail.com>
Fixes: 974e6f02e27e ("iio: cros_ec_sensors_core: Add common functions for the ChromeOS EC Sensor Hub.")
Link: https://lore.kernel.org/r/20230630143719.1513906-1-yguoaz@gmail.com
Cc: <Stable@vger.kerenl.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

authored by

Yiyuan Guo and committed by

Jonathan Cameron 2 years ago 8a462905 6811694e

+1 -1

1 changed file

expand all

drivers

iio

common

cros_ec_sensors

cros_ec_sensors_core.c

+1 -1

drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c

··· 253 253 platform_set_drvdata(pdev, indio_dev); 254 254 255 255 state->ec = ec->ec_dev; 256 - state->msg = devm_kzalloc(&pdev->dev, 256 + state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) + 257 257 max((u16)sizeof(struct ec_params_motion_sense), 258 258 state->ec->max_response), GFP_KERNEL); 259 259 if (!state->msg)