On Thu, Dec 6, 2012 at 11:01 AM, Jiri Kosina <jkosina@xxxxxxx> wrote: >> > - count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); >> > + ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); >> > >> > + if (!ret_count) >> >> I'd make this (ret_count <= 2), as this would let you call memcpy with a >> null or even negative length. > > Good catch, it doesn't account for the 2 bytes needed for storing the > reply size. > > I have fixed that and applied the patch, thanks everybody! > Hi Jiri, Jean, thank you very much for the work done. I was in a meeting past two days, so I was not able to answer sooner. Cheers, Benjamin -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
