Hi Peter, > As was recently brought up on the busybox list > (http://lists.busybox.net/pipermail/busybox/2011-January/074565.html), > evdev_write doesn't properly check the count argument, which will > lead to a return value > count on partial writes if the remaining bytes > are accessible - Causing userspace confusion. > > Fix it by only handling each full input_event structure and return -EINVAL > if less than 1 struct was written, similar to how it is done in evdev_read. > > Signed-off-by: Peter Korsgaard <jacmet@xxxxxxxxxx> Why not add the Reported-by here yourself? > @@ -321,6 +321,9 @@ static ssize_t evdev_write(struct file *file, const char __user *buffer, > struct input_event event; > int retval; > > + if (count < input_event_size()) > + return -EINVAL; > + This assumes that write will only ever be called with sufficient data. It is not an error to write (and report) less data than specified, so perhaps the above will yield unpleasant surprises. > retval = mutex_lock_interruptible(&evdev->mutex); > if (retval) > return retval; > @@ -330,7 +333,7 @@ static ssize_t evdev_write(struct file *file, const char __user *buffer, > goto out; > } > > - while (retval < count) { > + while ((retval + input_event_size()) <= count) { Too many parenthesis. > > if (input_event_from_user(buffer + retval, &event)) { > retval = -EFAULT; Thanks, Henrik -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
