+ input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow.patch added to -mm tree

akpm@xxxxxxxx · Mon, 19 Jun 2006 19:42:14 -0700

The patch titled

     input/mouse/sermouse: fix memleak and potential buffer overflow

has been added to the -mm tree.  Its filename is

     input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow.patch

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: input/mouse/sermouse: fix memleak and potential buffer overflow
From: Wouter Paesen <wouter@xxxxxxxxxxxxx>


While strolling trough the sermouse driver for some example code, I noticed
2 strange things happening there:

* In the sermouse_connect function an input device structure is
  allocated (input_allocate_device), which is not deallocated
  in the sermouse_disconnect function.

  If I understand this correctly someone repeatedly connecting and
  disconnecting the mouse would leak input_dev structures.

* In the sermouse_connect function the phys member of the sermouse
  structure (32 characters) is initialised with :

     sprintf(sermouse->phys, "%s/input0", serio->phys);

  Because serio->phys is also a 32 character field the sprintf could
  result in 39 characters being written to the sermouse->phys.

If my understanding of both these concepts is correct, this is a patch
to fix the problems.

Signed-off-by: Wouter Paesen <wouter@xxxxxxxxxxxxx>
Cc: Dmitry Torokhov <dtor_core@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 drivers/input/mouse/sermouse.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff -puN drivers/input/mouse/sermouse.c~input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow drivers/input/mouse/sermouse.c

--- a/drivers/input/mouse/sermouse.c~input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow
+++ a/drivers/input/mouse/sermouse.c
@@ -53,7 +53,7 @@ struct sermouse {
 	unsigned char count;
 	unsigned char type;
 	unsigned long last;
-	char phys[32];
+	char phys[39];
 };
 
 /*
@@ -233,6 +233,7 @@ static void sermouse_disconnect(struct s
 	serio_close(serio);
 	serio_set_drvdata(serio, NULL);
 	input_unregister_device(sermouse->dev);
+	input_free_device(sermouse->dev);
 	kfree(sermouse);
 }
 
_

Patches currently in -mm which might be from wouter@xxxxxxxxxxxxx are

input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




