diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-01-09 15:32:31 +0300 |
---|---|---|
committer | Luis Henriques <luis.henriques@canonical.com> | 2015-01-16 14:34:34 +0000 |
commit | e3ce0787f0ca66d37c3cd6534e72676f01b12b96 (patch) | |
tree | c7ea8c3f56d01f261bcfc9a4244b7679fcf68ee3 | |
parent | 90f577a1d9fea14c455b0dcd5965fe992d9b1e96 (diff) | |
download | linux-stable-e3ce0787f0ca66d37c3cd6534e72676f01b12b96.tar.gz linux-stable-e3ce0787f0ca66d37c3cd6534e72676f01b12b96.tar.bz2 linux-stable-e3ce0787f0ca66d37c3cd6534e72676f01b12b96.zip |
HID: roccat: potential out of bounds in pyra_sysfs_write_settings()
commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab upstream.
This is a static checker fix. We write some binary settings to the
sysfs file. One of the settings is the "->startup_profile". There
isn't any checking to make sure it fits into the
pyra->profile_settings[] array in the profile_activated() function.
I added a check to pyra_sysfs_write_settings() in both places because
I wasn't positive that the other callers were correct.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-rw-r--r-- | drivers/hid/hid-roccat-pyra.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/hid/hid-roccat-pyra.c b/drivers/hid/hid-roccat-pyra.c index 1a07e07d99a0..47d7e74231e5 100644 --- a/drivers/hid/hid-roccat-pyra.c +++ b/drivers/hid/hid-roccat-pyra.c @@ -35,6 +35,8 @@ static struct class *pyra_class; static void profile_activated(struct pyra_device *pyra, unsigned int new_profile) { + if (new_profile >= ARRAY_SIZE(pyra->profile_settings)) + return; pyra->actual_profile = new_profile; pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi; } @@ -257,9 +259,11 @@ static ssize_t pyra_sysfs_write_settings(struct file *fp, if (off != 0 || count != PYRA_SIZE_SETTINGS) return -EINVAL; - mutex_lock(&pyra->pyra_lock); - settings = (struct pyra_settings const *)buf; + if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings)) + return -EINVAL; + + mutex_lock(&pyra->pyra_lock); retval = pyra_set_settings(usb_dev, settings); if (retval) { |