[PATCH 3.4 095/176] HID: roccat: potential out of bounds in pyra_sysfs_write_settings()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

3.4.107-rc1 review patch.  If anyone has any objections, please let me know.

------------------


commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab upstream.

This is a static checker fix.  We write some binary settings to the
sysfs file.  One of the settings is the "->startup_profile".  There
isn't any checking to make sure it fits into the
pyra->profile_settings[] array in the profile_activated() function.

I added a check to pyra_sysfs_write_settings() in both places because
I wasn't positive that the other callers were correct.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Jiri Kosina <jkosina@xxxxxxx>
[lizf: Backported to 3.4: define the variable @settings]
Signed-off-by: Zefan Li <lizefan@xxxxxxxxxx>
---
 drivers/hid/hid-roccat-pyra.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/hid/hid-roccat-pyra.c b/drivers/hid/hid-roccat-pyra.c
index df05c1b1..5346647 100644
--- a/drivers/hid/hid-roccat-pyra.c
+++ b/drivers/hid/hid-roccat-pyra.c
@@ -35,6 +35,8 @@ static struct class *pyra_class;
 static void profile_activated(struct pyra_device *pyra,
 		unsigned int new_profile)
 {
+	if (new_profile >= ARRAY_SIZE(pyra->profile_settings))
+		return;
 	pyra->actual_profile = new_profile;
 	pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi;
 }
@@ -299,10 +301,15 @@ static ssize_t pyra_sysfs_write_settings(struct file *fp,
 	int retval = 0;
 	int difference;
 	struct pyra_roccat_report roccat_report;
+	struct pyra_settings const *settings;
 
 	if (off != 0 || count != sizeof(struct pyra_settings))
 		return -EINVAL;
 
+	settings = (struct pyra_settings const *)buf;
+	if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings))
+		return -EINVAL;
+
 	mutex_lock(&pyra->pyra_lock);
 	difference = memcmp(buf, &pyra->settings, sizeof(struct pyra_settings));
 	if (difference) {
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]