Hi
On Thu, Feb 20, 2014 at 5:36 PM, Frank Praznik <frank.praznik@xxxxxxxxx> wrote:
> Make sure that an out-of-bounds read doesn't occur in the Sixaxis battery level
> lookup table in the event that the controller sends an invalid battery status
> value in the report.
>
> Signed-off-by: Frank Praznik <frank.praznik@xxxxxxxxx>
> ---
> drivers/hid/hid-sony.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
> index a51a9c0..b39e3ab 100644
> --- a/drivers/hid/hid-sony.c
> +++ b/drivers/hid/hid-sony.c
> @@ -854,7 +854,8 @@ static void sixaxis_parse_report(struct sony_sc *sc, __u8 *rd, int size)
> battery_capacity = 100;
> battery_charging = !(rd[30] & 0x01);
> } else {
> - battery_capacity = sixaxis_battery_capacity[rd[30]];
> + __u8 index = rd[30] <= 5 ? rd[30] : 5;
> + battery_capacity = sixaxis_battery_capacity[index];
Does it make sense to read something else on invalid reports? Sounds
weird to me to just read at a lower index in case it's too short.
Shouldn't you just bail out? But the worst that can happen is wrong
battery values reported to user-space, so I'm fine with it.
Thanks
David
> battery_charging = 0;
> }
> cable_state = !((rd[31] >> 4) & 0x01);
> --
> 1.8.5.3
>
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
