From jirislaby@gmail.com  Mon Aug 10 11:39:02 2009
From: Jiri Slaby <jirislaby@gmail.com>
Date: Sat,  8 Aug 2009 11:33:58 +0200
Subject: Staging: dream, fix buf overflow
To: Greg Kroah-Hartman <gregkh@suse.de>
Cc: pavel@ucw.cz, swetland@google.com, ibm@android.com, san@android.com, linux-kernel@vger.kernel.org, Jiri Slaby <jirislaby@gmail.com>
Message-ID: <1249724038-1011-1-git-send-email-jirislaby@gmail.com>


In vfe_send_msg_no_payload there is a wrong struct vfe_message allocation.
It allocates only sizeof(pointer to vfe_message) for a whole structure.
Add a dereference to the sizeof to allocate sizeof(vfe_message).

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/staging/dream/camera/msm_vfe8x_proc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/dream/camera/msm_vfe8x_proc.c
+++ b/drivers/staging/dream/camera/msm_vfe8x_proc.c
@@ -818,7 +818,7 @@ static void vfe_send_msg_no_payload(enum
 {
 	struct vfe_message *msg;
 
-	msg = kzalloc(sizeof(msg), GFP_ATOMIC);
+	msg = kzalloc(sizeof(*msg), GFP_ATOMIC);
 	if (!msg)
 		return;