Wouter Paesen wrote: >On Sun, Jun 18, 2006 at 12:24:31AM -0400, Dmitry Torokhov wrote: >> > Because serio->phys is also a 32 character field the sprintf could >> > result in 39 characters being written to the sermouse->phys. >> >> Right, we need to change it to use snprintf. > >Thanks, this patch will do just that. >Still, keeping the array 39 characters long will prevent truncation of the > string. > >Signed-off-by: Wouter Paesen <[email protected]> > >--- linux-2.6.17-rc6.orig/drivers/input/mouse/sermouse.c 2006-06-20 > 08:31:12.000000000 +0200 +++ > linux-2.6.17-rc6/drivers/input/mouse/sermouse.c 2006-06-20 > 08:31:41.000000000 +0200 @@ -53,7 +53,7 @@ struct sermouse { > unsigned char count; > unsigned char type; > unsigned long last; >- char phys[32]; >+ char phys[39]; > }; > > /* >@@ -254,7 +254,7 @@ static int sermouse_connect(struct serio > goto fail; > > sermouse->dev = input_dev; >- sprintf(sermouse->phys, "%s/input0", serio->phys); >+ snprintf(sermouse->phys, 39, "%s/input0", serio->phys); This adds a magic number here. I suggest using sizeof(sermouse->phys) instead. Eike
Attachment:
pgpnAY12mXNHh.pgp
Description: PGP signature
- References:
- [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow
- From: Wouter Paesen <[email protected]>
- Re: [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow
- From: Dmitry Torokhov <[email protected]>
- Re: [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow
- From: Wouter Paesen <[email protected]>
- [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow
- Prev by Date: Re: [PATCH] kprobes for s390 architecture
- Next by Date: Re: Why can't I set the priority of softirq-hrt? (Re: 2.6.17-rt1)
- Previous by thread: Re: [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow
- Next by thread: [PATCH] sctp_unpack_cookie() fix
- Index(es):
 |