diff options
author | Jiri Kosina <jkosina@suse.cz> | 2007-10-15 15:17:41 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-10-15 08:12:00 -0700 |
commit | 57d292bd7e6e72898e533687af481603597b1ca7 (patch) | |
tree | d9594d10bfc843b44eb4ad1b32f945b000330f8c /drivers/hid/hidraw.c | |
parent | 23fd50450a34f2558070ceabb0bfebc1c9604af5 (diff) | |
download | kernel_samsung_smdk4412-57d292bd7e6e72898e533687af481603597b1ca7.zip kernel_samsung_smdk4412-57d292bd7e6e72898e533687af481603597b1ca7.tar.gz kernel_samsung_smdk4412-57d292bd7e6e72898e533687af481603597b1ca7.tar.bz2 |
HID: fix HIDIOCGRDESC memory access in hidraw
Fix bogus copying of data into userspace when HIDIOCGRDESC is issued.
HID-transport layer makes sure that dev->hid->rdesc is not larger than
HID_MAX_DESCRIPTOR_SIZE.
Noticed-by: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/hid/hidraw.c')
-rw-r--r-- | drivers/hid/hidraw.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c index 8503197..a702e2f 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -229,9 +229,15 @@ static int hidraw_ioctl(struct inode *inode, struct file *file, unsigned int cmd if (get_user(len, (int __user *)arg)) return -EFAULT; - if (copy_to_user(*((__u8 **)(user_arg + - sizeof(__u32))), - dev->hid->rdesc, len)) + + if (len > HID_MAX_DESCRIPTOR_SIZE - 1) + return -EINVAL; + + if (copy_to_user(user_arg + offsetof( + struct hidraw_report_descriptor, + value[0]), + dev->hid->rdesc, + min(dev->hid->rsize, len))) return -EFAULT; return 0; } |