For some reason the virtual battery driver code allocates 4k on the stack. This is clearly broken, so keep the length smaller (256) and cleanup the string management code to use the bounds checking versions.

CC: Akihiro MAEDA sola.1980.a@gmail.com CC: Masashi YOKOTA yokota@pylone.jp Signed-off-by: John Stultz john.stultz@linaro.org --- drivers/power/virtual_battery.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/power/virtual_battery.c b/drivers/power/virtual_battery.c index ed686ef..30c91b4 100644 --- a/drivers/power/virtual_battery.c +++ b/drivers/power/virtual_battery.c @@ -115,6 +115,7 @@ static struct power_supply power_supply_bat = { };

+#define MAX_KEYLENGTH 256 struct battery_property_map { int value; char const * key; @@ -162,16 +163,18 @@ static struct battery_property_map map_technology[] = {

static int map_get_value(struct battery_property_map * map, const char * key, int def_val) { - char buf[4096]; + char buf[MAX_KEYLENGTH]; int cr;

- strcpy(buf, key); - cr = strlen(buf) - 1; + strncpy(buf, key, MAX_KEYLENGTH); + buf[MAX_KEYLENGTH-1] = '\0'; + + cr = strnlen(buf, MAX_KEYLENGTH) - 1; if (buf[cr] == '\n') buf[cr] = '\0';

while (map->key) { - if (strcasecmp(map->key, buf) == 0) + if (strncasecmp(map->key, buf, MAX_KEYLENGTH) == 0) return map->value; map++; }