- input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow.patch removed from -mm tree

akpm@xxxxxxxx · Mon, 26 Jun 2006 18:12:00 -0700

The patch titled

     input/mouse/sermouse: fix memleak and potential buffer overflow

has been removed from the -mm tree.  Its filename is

     input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow.patch

This patch was dropped because it was merged into mainline or a subsystem tree

------------------------------------------------------
Subject: input/mouse/sermouse: fix memleak and potential buffer overflow
From: Wouter Paesen <wouter@xxxxxxxxxxxxx>


While strolling trough the sermouse driver for some example code, I noticed
2 strange things happening there:

* In the sermouse_connect function an input device structure is
  allocated (input_allocate_device), which is not deallocated
  in the sermouse_disconnect function.

  If I understand this correctly someone repeatedly connecting and
  disconnecting the mouse would leak input_dev structures.

* In the sermouse_connect function the phys member of the sermouse
  structure (32 characters) is initialised with :

     sprintf(sermouse->phys, "%s/input0", serio->phys);

  Because serio->phys is also a 32 character field the sprintf could
  result in 39 characters being written to the sermouse->phys.

If my understanding of both these concepts is correct, this is a patch
to fix the problems.

Signed-off-by: Wouter Paesen <wouter@xxxxxxxxxxxxx>
Cc: Dmitry Torokhov <dtor_core@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 drivers/input/mouse/sermouse.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff -puN drivers/input/mouse/sermouse.c~input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow drivers/input/mouse/sermouse.c

--- a/drivers/input/mouse/sermouse.c~input-mouse-sermouse-fix-memleak-and-potential-buffer-overflow
+++ a/drivers/input/mouse/sermouse.c
@@ -53,7 +53,7 @@ struct sermouse {
 	unsigned char count;
 	unsigned char type;
 	unsigned long last;
-	char phys[32];
+	char phys[39];
 };
 
 /*
@@ -254,7 +254,7 @@ static int sermouse_connect(struct serio
 		goto fail;
 
 	sermouse->dev = input_dev;
-	sprintf(sermouse->phys, "%s/input0", serio->phys);
+	snprintf(sermouse->phys, 39, "%s/input0", serio->phys);
 	sermouse->type = serio->id.proto;
 
 	input_dev->name = sermouse_protocols[sermouse->type];
_

Patches currently in -mm which might be from wouter@xxxxxxxxxxxxx are

origin.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




