On Tuesday 22 March 2005 20:26, Adrian Bunk wrote:
> The Coverity checker found the following bug in the function
> gunze_process_packet in drivers/input/touchscreen/gunze.c:
>
>
> <-- snip -->
>
> ...
> #define GUNZE_MAX_LENGTH 10
> ...
> struct gunze {
> ...
> unsigned char data[GUNZE_MAX_LENGTH];
> ...
> };
> ...
> static void gunze_process_packet(struct gunze* gunze, struct pt_regs *regs)
> ...
> gunze->data[10] = 0;
> ...
>
> <-- snip -->
>
>
> The bug is obvious, but for a correct solution someone should know this
> code better than I do.
>
Ahh, it looks like it was just an attempt to null-terminate packet for
printk. The patch below should do the trick.
--
Dmitry
===================================================================
Input: gunze - fix out-of-bound array access reported by Adrian Bunk.
Signed-off-by: Dmitry Torokhov <[email protected]>
gunze.c | 3 +--
1 files changed, 1 insertion(+), 2 deletions(-)
Index: dtor/drivers/input/touchscreen/gunze.c
===================================================================
--- dtor.orig/drivers/input/touchscreen/gunze.c
+++ dtor/drivers/input/touchscreen/gunze.c
@@ -68,8 +68,7 @@ static void gunze_process_packet(struct
if (gunze->idx != GUNZE_MAX_LENGTH || gunze->data[5] != ',' ||
(gunze->data[0] != 'T' && gunze->data[0] != 'R')) {
- gunze->data[10] = 0;
- printk(KERN_WARNING "gunze.c: bad packet: >%s<\n", gunze->data);
+ printk(KERN_WARNING "gunze.c: bad packet: >%.*s<\n", GUNZE_MAX_LENGTH, gunze->data);
return;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]