Return -EINVAL on possible 'sscanf()' errors in
'mwifiex_regrdwr_write()' and 'mwifiex_rdeeprom_write()'.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Antipov <[email protected]>
---
v2: adjust to match series
---
drivers/net/wireless/marvell/mwifiex/debugfs.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c
index 0cdd6c50c1c0..f9c9fec7c792 100644
--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c
+++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c
@@ -425,7 +425,10 @@ mwifiex_regrdwr_write(struct file *file,
if (IS_ERR(buf))
return PTR_ERR(buf);
- sscanf(buf, "%u %x %x", ®_type, ®_offset, ®_value);
+ if (sscanf(buf, "%u %x %x", ®_type, ®_offset, ®_value) != 3) {
+ ret = -EINVAL;
+ goto done;
+ }
if (reg_type == 0 || reg_offset == 0) {
ret = -EINVAL;
@@ -691,7 +694,10 @@ mwifiex_rdeeprom_write(struct file *file,
if (IS_ERR(buf))
return PTR_ERR(buf);
- sscanf(buf, "%d %d", &offset, &bytes);
+ if (sscanf(buf, "%d %d", &offset, &bytes) != 2) {
+ ret = -EINVAL;
+ goto done;
+ }
if (offset == -1 || bytes == -1) {
ret = -EINVAL;
--
2.41.0