If length equals 0 then reading buf[length-1] will read before the start of the buffer. Avoid this by moving the length == 0 check up. Cc: Mark Pearson <markpearson@xxxxxxxxxx> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx> --- drivers/platform/x86/think-lmi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c index 4881de4e669d..7771c9359449 100644 --- a/drivers/platform/x86/think-lmi.c +++ b/drivers/platform/x86/think-lmi.c @@ -443,10 +443,13 @@ static ssize_t kbdlang_store(struct kobject *kobj, int length; length = strlen(buf); + if (!length) + return -EINVAL; + if (buf[length-1] == '\n') length--; - if (!length || (length >= TLMI_LANG_MAXLEN)) + if (length >= TLMI_LANG_MAXLEN) return -EINVAL; memcpy(setting->kbdlang, buf, length); -- 2.31.1
