Re: [patch 001/001] input: fix read past array bounds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

thx for checking that.
i did not notice these key_map -> keymaps difference.
If understand the code (key_map = key_maps[shift_final];)
that you could simply use
key_maps[shift_final][keycode]
NTL that would be a totaly different patch.

re,
 wh


Michal Roszkowski schrieb:
> Thanks Walter,
> I can't use ARRAY_SIZE because key_map is declared as an unsigned short
> *. I noticed that in vt_ioctl.c the assumption is made that all key maps
> are the same size as plain_map[], so if we were to make the same (safe)
> assumption, we could use the conditional keycode <
> ARRAY_SIZE(plain_map), but I think that that would make the code more
> confusing than the simple test against NR_KEYS.
> 
> But here's the patch containing the stylistic suggestions:
> 
> --- linux-2.6.26.5/drivers/char/keyboard.c.orig    2008-10-06
> 07:19:47.000000000 +1030
> +++ linux-2.6.26.5/drivers/char/keyboard.c    2008-10-06
> 08:34:48.000000000 +1030
> @@ -1247,13 +1247,14 @@ static void kbd_keycode(unsigned int key
>          return;
>      }
> 
> -    if (keycode > NR_KEYS)
> +    if (keycode < NR_KEYS)
> +        keysym = key_map[keycode];
> +    else {
>          if (keycode >= KEY_BRL_DOT1 && keycode <= KEY_BRL_DOT8)
>              keysym = K(KT_BRL, keycode - KEY_BRL_DOT1 + 1);
>          else
>              return;
> -    else
> -        keysym = key_map[keycode];
> +    }
> 
>      type = KTYP(keysym);
> 
> 
> On 06/10/2008, at 2:38 AM, walter harms wrote:
> 
>> nice catch,
>> just to improve readablility .... and reduce the change of an other
>> error ...
>>
>>
>>
>> if (keycode < ARRAY_SIZE(key_map) )   
>>     keysym = key_map[keycode];
>> else {
>>           if (keycode >= KEY_BRL_DOT1 && keycode <= KEY_BRL_DOT8)
>>                        keysym = K(KT_BRL, keycode - KEY_BRL_DOT1 + 1);
>>               else
>>                       return;
>>     }
>>
>>
>>
>> re,
>> wh
>>
>> Michal Roszkowski schrieb:
>>>
>>> ---
>>>
>>> Trivial fix for read past end of key_map[] when keycode = NR_KEYS.
>>>
>>> --- linux-2.6.26.5/drivers/char/keyboard.c.orig    2008-10-05
>>> 15:51:09.000000000 +1030
>>> +++ linux-2.6.26.5/drivers/char/keyboard.c    2008-10-05
>>> 15:52:17.000000000 +1030
>>> @@ -1247,7 +1247,7 @@ static void kbd_keycode(unsigned int key
>>>        return;
>>>    }
>>>
>>> -    if (keycode > NR_KEYS)
>>> +    if (keycode >= NR_KEYS)
>>>        if (keycode >= KEY_BRL_DOT1 && keycode <= KEY_BRL_DOT8)
>>>            keysym = K(KT_BRL, keycode - KEY_BRL_DOT1 + 1);
>>>        else
>>>
>>> -- 
>>> To unsubscribe from this list: send the line "unsubscribe
>>> kernel-janitors" in
>>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>
>>>
> 
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux