From: David Herrmann <dh.herrmann@xxxxxxxxxxxxxx> Let's check whether the user-supplied buffer is actually big enough and return -EINVAL if it is not. This differs from current behavior, which caused 0 to be returned and actually does not make any sense, as broken application will simply repeat the read getting into endless loop. Signed-off-by: David Herrmann <dh.herrmann@xxxxxxxxxxxxxx> Signed-off-by: Dmitry Torokhov <dtor@xxxxxxx> --- drivers/input/misc/uinput.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 7360568..eb9723a 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -457,6 +457,9 @@ static ssize_t uinput_read(struct file *file, char __user *buffer, size_t count, struct uinput_device *udev = file->private_data; int retval = 0; + if (count < input_event_size()) + return -EINVAL; + if (udev->state != UIST_CREATED) return -ENODEV; -- 1.7.7.6 -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
