>From: ext Alan Cox [mailto:alan@xxxxxxxxxxxxxxxxxxx] >Sent: 08 November, 2010 13:39 > >On Mon, 8 Nov 2010 12:08:07 +0100 ><ilkka.koskinen@xxxxxxxxx> wrote: > >> Hi, >> >> >From: ext Alan Cox [mailto:alan@xxxxxxxxxxxxxxxxxxx] >> >Sent: 08 November, 2010 01:52 >> > >> >> + datalen = p->custom_len * sizeof(p->custom_data[0]); >> > >> >signed >> > >> >> + if (datalen > MAX_EFFECT_SIZE) { >> > >> >unsigned >> >> It should be unsigned. I'll fix it. >> >> >> + memcpy(einfo->buf, p->custom_data, datalen); >> > >> >ungood >> >> Yep, that's clearly wrong too. Should be copy_from_user() I suppose. > >That I hadn't considered - and I'm not sure whether the caller is passed >a kernel copy or not. The problem I was looking at was just the signed >case > > datalen < 0 > if (datalen > MAX ..) > Nope > > memcpy(kernel, mysource, vastly more than intended (unsigned)) Ah, I got it now. Thanks for clarification :) Cheers, Ilkka -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
