diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/drivers/acpi/asus_acpi.c x/drivers/acpi/asus_acpi.c
--- x-ref/drivers/acpi/asus_acpi.c	2003-11-28 23:12:34.000000000 +0100
+++ x/drivers/acpi/asus_acpi.c	2004-07-04 00:57:38.271460800 +0200
@@ -40,6 +40,7 @@
 #include <linux/proc_fs.h>
 #include <acpi/acpi_drivers.h>
 #include <acpi/acpi_bus.h>
+#include <asm/uaccess.h>
 
 #define ASUS_ACPI_VERSION "0.26"
 
@@ -327,7 +328,21 @@ proc_read_mled(char *page, char **start,
 
 	return len;
 }
-
+ 
+static int parse_arg(const char *buf, unsigned long count, int *val)
+{
+	char s[32];
+	if (!count)
+		return 0;
+	if (count > 31)
+		return -EINVAL;
+	if (copy_from_user(s, buf, count))
+		return -EFAULT;
+	s[count] = 0;
+	if (sscanf(s, "%i", val) != 1)
+		return -EINVAL;
+	return count;
+}
 
 static int
 proc_write_mled(struct file *file, const char *buffer,
@@ -337,10 +352,8 @@ proc_write_mled(struct file *file, const
 	int led_out = 0;
 	struct asus_hotk *hotk = (struct asus_hotk *) data;
 
-
-
-	/* scan expression.  Multiple expressions may be delimited with ; */
-	if (sscanf(buffer, "%i", &value) == 1)
+	count = parse_arg(buffer, count, &value);
+	if (count > 0)
 		led_out = ~value & 1;
 
 	hotk->status =
@@ -392,7 +405,8 @@ proc_write_wled(struct file *file, const
 	struct asus_hotk *hotk = (struct asus_hotk *) data;
 
 	/* scan expression.  Multiple expressions may be delimited with ; */
-	if (sscanf(buffer, "%i", &value) == 1)
+	count = parse_arg(buffer, count, &value);
+	if (count > 0)
 		led_out = value & 1;
 
 	hotk->status =
@@ -442,7 +456,8 @@ proc_write_lcd(struct file *file, const 
 	struct asus_hotk *hotk = (struct asus_hotk *) data;
 
 	/* scan expression.  Multiple expressions may be delimited with ; */
-	if (sscanf(buffer, "%i", &value) == 1)
+	count = parse_arg(buffer, count, &value);
+	if (count > 0)
 		lcd = value & 1;
 
 	lcd_status = get_lcd_state(hotk);
@@ -522,7 +537,8 @@ proc_write_brn(struct file *file, const 
 	struct asus_hotk *hotk = (struct asus_hotk *) data;
 
 	/* scan expression.  Multiple expressions may be delimited with ; */
-	if (sscanf(buffer, "%d", &value) == 1) {
+	count = parse_arg(buffer, count, &value);
+	if (count > 0) {
 		value = (0 < value) ? ((15 < value) ? 15 : value) : 0;
 			/* 0 <= value <= 15 */
 		set_brightness(value, hotk);
@@ -574,7 +590,8 @@ proc_write_disp(struct file *file, const
 	struct asus_hotk *hotk = (struct asus_hotk *) data;
 
 	/* scan expression.  Multiple expressions may be delimited with ; */
-	if (sscanf(buffer, "%d", &value) == 1)
+	count = parse_arg(buffer, count, &value);
+	if (count > 0)
 		set_display(value, hotk);
 	else {
 		printk(KERN_WARNING "Asus ACPI: Error reading user input\n");