On Mon, 8 Nov 2010 12:08:07 +0100 <ilkka.koskinen@xxxxxxxxx> wrote: > Hi, > > >From: ext Alan Cox [mailto:alan@xxxxxxxxxxxxxxxxxxx] > >Sent: 08 November, 2010 01:52 > > > >> + datalen = p->custom_len * sizeof(p->custom_data[0]); > > > >signed > > > >> + if (datalen > MAX_EFFECT_SIZE) { > > > >unsigned > > It should be unsigned. I'll fix it. > > >> + memcpy(einfo->buf, p->custom_data, datalen); > > > >ungood > > Yep, that's clearly wrong too. Should be copy_from_user() I suppose. That I hadn't considered - and I'm not sure whether the caller is passed a kernel copy or not. The problem I was looking at was just the signed case datalen < 0 if (datalen > MAX ..) Nope memcpy(kernel, mysource, vastly more than intended (unsigned)) -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
