Input: fix potential overflows in driver/input/joystick

Change all sprintfs into snprintfs to make sure we won't stomp on data adjacent to our buffers. Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

Input: fix potential overflows in driver/input/joystick
Change all sprintfs into snprintfs to make sure we won't stomp on data adjacent to our buffers. Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Dmitry Torokhov
1 parent 08ffce4560
Showing 16 changed files with 40 additions and 30 deletions Side-by-side Diff
drivers/input/joystick/a3d.c
drivers/input/joystick/analog.c
drivers/input/joystick/cobra.c
drivers/input/joystick/db9.c
drivers/input/joystick/gamecon.c
drivers/input/joystick/gf2k.c
drivers/input/joystick/grip.c
drivers/input/joystick/guillemot.c
drivers/input/joystick/interact.c
drivers/input/joystick/magellan.c
drivers/input/joystick/sidewinder.c
drivers/input/joystick/spaceball.c
drivers/input/joystick/spaceorb.c
drivers/input/joystick/stinger.c
drivers/input/joystick/twidjoy.c
drivers/input/joystick/warrior.c
@@ -306,7 +306,7 @@
 	gameport_set_poll_handler(gameport, a3d_poll);
 	gameport_set_poll_interval(gameport, 20);
  
-	sprintf(a3d->phys, "%s/input0", gameport->phys);
+	snprintf(a3d->phys, sizeof(a3d->phys), "%s/input0", gameport->phys);
  
 	input_dev->name = a3d_names[a3d->mode];
 	input_dev->phys = a3d->phys;
@@ -408,21 +408,23 @@
  
 static void analog_name(struct analog *analog)
 {
-	sprintf(analog->name, "Analog %d-axis %d-button",
-		hweight8(analog->mask & ANALOG_AXES_STD),
-		hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
-		hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
+	snprintf(analog->name, sizeof(analog->name), "Analog %d-axis %d-button",
+		 hweight8(analog->mask & ANALOG_AXES_STD),
+		 hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
+		 hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
  
 	if (analog->mask & ANALOG_HATS_ALL)
-		sprintf(analog->name, "%s %d-hat",
-			analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
+		snprintf(analog->name, sizeof(analog->name), "%s %d-hat",
+			 analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
  
 	if (analog->mask & ANALOG_HAT_FCS)
-			strcat(analog->name, " FCS");
+		strlcat(analog->name, " FCS", sizeof(analog->name));
 	if (analog->mask & ANALOG_ANY_CHF)
-			strcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF");
+		strlcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF",
+			sizeof(analog->name));
  
-	strcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick");
+	strlcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick",
+		sizeof(analog->name));
 }
  
 /*
@@ -435,7 +437,8 @@
 	int i, j, t, v, w, x, y, z;
  
 	analog_name(analog);
-	sprintf(analog->phys, "%s/input%d", port->gameport->phys, index);
+	snprintf(analog->phys, sizeof(analog->phys),
+		 "%s/input%d", port->gameport->phys, index);
 	analog->buttons = (analog->mask & ANALOG_GAMEPAD) ? analog_pad_btn : analog_joy_btn;
  
 	analog->dev = input_dev = input_allocate_device();
@@ -202,7 +202,8 @@
 			goto fail3;
 		}
  
-		sprintf(cobra->phys[i], "%s/input%d", gameport->phys, i);
+		snprintf(cobra->phys[i], sizeof(cobra->phys[i]),
+			 "%s/input%d", gameport->phys, i);
  
 		input_dev->name = "Creative Labs Blaster GamePad Cobra";
 		input_dev->phys = cobra->phys[i];
@@ -620,7 +620,8 @@
 			goto err_unreg_devs;
 		}
  
-		sprintf(db9->phys[i], "%s/input%d", db9->pd->port->name, i);
+		snprintf(db9->phys[i], sizeof(db9->phys[i]),
+			 "%s/input%d", db9->pd->port->name, i);
  
 		input_dev->name = db9_mode->name;
 		input_dev->phys = db9->phys[i];
@@ -761,7 +761,8 @@
 		if (!pads[i])
 			continue;
  
-		sprintf(gc->phys[i], "%s/input%d", gc->pd->port->name, i);
+		snprintf(gc->phys[i], sizeof(gc->phys[i]),
+			 "%s/input%d", gc->pd->port->name, i);
 		err = gc_setup_pad(gc, i, pads[i]);
 		if (err)
 			goto err_unreg_devs;
@@ -298,7 +298,7 @@
 	gameport_set_poll_handler(gameport, gf2k_poll);
 	gameport_set_poll_interval(gameport, 20);
  
-	sprintf(gf2k->phys, "%s/input0", gameport->phys);
+	snprintf(gf2k->phys, sizeof(gf2k->phys), "%s/input0", gameport->phys);
  
 	gf2k->length = gf2k_lens[gf2k->id];
  
@@ -354,7 +354,8 @@
 			goto fail3;
 		}
  
-		sprintf(grip->phys[i], "%s/input%d", gameport->phys, i);
+		snprintf(grip->phys[i], sizeof(grip->phys[i]),
+			 "%s/input%d", gameport->phys, i);
  
 		input_dev->name = grip_name[grip->mode[i]];
 		input_dev->phys = grip->phys[i];
@@ -222,7 +222,7 @@
 	gameport_set_poll_handler(gameport, guillemot_poll);
 	gameport_set_poll_interval(gameport, 20);
  
-	sprintf(guillemot->phys, "%s/input0", gameport->phys);
+	snprintf(guillemot->phys, sizeof(guillemot->phys), "%s/input0", gameport->phys);
 	guillemot->type = guillemot_type + i;
  
 	input_dev->name = guillemot_type[i].name;
@@ -251,7 +251,7 @@
 	gameport_set_poll_handler(gameport, interact_poll);
 	gameport_set_poll_interval(gameport, 20);
  
-	sprintf(interact->phys, "%s/input0", gameport->phys);
+	snprintf(interact->phys, sizeof(interact->phys), "%s/input0", gameport->phys);
  
 	interact->type = i;
 	interact->length = interact_type[i].length;
@@ -162,7 +162,7 @@
 		goto fail;
  
 	magellan->dev = input_dev;
-	sprintf(magellan->phys, "%s/input0", serio->phys);
+	snprintf(magellan->phys, sizeof(magellan->phys), "%s/input0", serio->phys);
  
 	input_dev->name = "LogiCad3D Magellan / SpaceMouse";
 	input_dev->phys = magellan->phys;
@@ -541,7 +541,7 @@
  * Unfortunately I don't know how to do this for the other SW types.
  */
  
-static void sw_3dp_id(unsigned char *buf, char *comment)
+static void sw_3dp_id(unsigned char *buf, char *comment, size_t size)
 {
 	int i;
 	char pnp[8], rev[9];
@@ -554,7 +554,7 @@
  
 	pnp[7] = rev[8] = 0;
  
-	sprintf(comment, " [PnP %d.%02d id %s rev %s]",
+	snprintf(comment, size, " [PnP %d.%02d id %s rev %s]",
 		(int) ((sw_get_bits(buf, 8, 6, 1) << 6) |		/* Two 6-bit values */
 			sw_get_bits(buf, 16, 6, 1)) / 100,
 		(int) ((sw_get_bits(buf, 8, 6, 1) << 6) |
@@ -695,7 +695,7 @@
 						sw->type = SW_ID_FFP;
 						sprintf(comment, " [AC %s]", sw_get_bits(idbuf,38,1,3) ? "off" : "on");
 					} else
-					sw->type = SW_ID_PP;
+						sw->type = SW_ID_PP;
 					break;
 				case 66:
 					sw->bits = 3;
@@ -703,7 +703,8 @@
 					sw->length = 22;
 				case 64:
 					sw->type = SW_ID_3DP;
-					if (j == 160) sw_3dp_id(idbuf, comment);
+					if (j == 160)
+						sw_3dp_id(idbuf, comment, sizeof(comment));
 					break;
 			}
 		}
@@ -733,8 +734,10 @@
 	for (i = 0; i < sw->number; i++) {
 		int bits, code;
  
-		sprintf(sw->name, "Microsoft SideWinder %s", sw_name[sw->type]);
-		sprintf(sw->phys[i], "%s/input%d", gameport->phys, i);
+		snprintf(sw->name, sizeof(sw->name),
+			 "Microsoft SideWinder %s", sw_name[sw->type]);
+		snprintf(sw->phys[i], sizeof(sw->phys[i]),
+			 "%s/input%d", gameport->phys, i);
  
 		sw->dev[i] = input_dev = input_allocate_device();
 		if (!input_dev) {
@@ -220,7 +220,7 @@
 		goto fail;
  
 	spaceball->dev = input_dev;
-	sprintf(spaceball->phys, "%s/input0", serio->phys);
+	snprintf(spaceball->phys, sizeof(spaceball->phys), "%s/input0", serio->phys);
  
 	input_dev->name = spaceball_names[id];
 	input_dev->phys = spaceball->phys;
@@ -177,7 +177,7 @@
 		goto fail;
  
 	spaceorb->dev = input_dev;
-	sprintf(spaceorb->phys, "%s/input0", serio->phys);
+	snprintf(spaceorb->phys, sizeof(spaceorb->phys), "%s/input0", serio->phys);
  
 	input_dev->name = "SpaceTec SpaceOrb 360 / Avenger";
 	input_dev->phys = spaceorb->phys;
@@ -148,7 +148,7 @@
 		goto fail;
  
 	stinger->dev = input_dev;
-	sprintf(stinger->phys, "%s/serio0", serio->phys);
+	snprintf(stinger->phys, sizeof(stinger->phys), "%s/serio0", serio->phys);
  
 	input_dev->name = "Gravis Stinger";
 	input_dev->phys = stinger->phys;
@@ -199,7 +199,7 @@
 		goto fail;
  
 	twidjoy->dev = input_dev;
-	sprintf(twidjoy->phys, "%s/input0", serio->phys);
+	snprintf(twidjoy->phys, sizeof(twidjoy->phys), "%s/input0", serio->phys);
  
 	input_dev->name = "Handykey Twiddler";
 	input_dev->phys = twidjoy->phys;
@@ -154,7 +154,7 @@
 		goto fail;
  
 	warrior->dev = input_dev;
-	sprintf(warrior->phys, "%s/input0", serio->phys);
+	snprintf(warrior->phys, sizeof(warrior->phys), "%s/input0", serio->phys);
  
 	input_dev->name = "Logitech WingMan Warrior";
 	input_dev->phys = warrior->phys;
...	...	@@ -306,7 +306,7 @@
306	306	gameport_set_poll_handler(gameport, a3d_poll);
307	307	gameport_set_poll_interval(gameport, 20);
308	308
309		- sprintf(a3d->phys, "%s/input0", gameport->phys);
	309	+ snprintf(a3d->phys, sizeof(a3d->phys), "%s/input0", gameport->phys);
310	310
311	311	input_dev->name = a3d_names[a3d->mode];
312	312	input_dev->phys = a3d->phys;
...	...	@@ -408,21 +408,23 @@
408	408
409	409	static void analog_name(struct analog *analog)
410	410	{
411		- sprintf(analog->name, "Analog %d-axis %d-button",
412		- hweight8(analog->mask & ANALOG_AXES_STD),
413		- hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
414		- hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
	411	+ snprintf(analog->name, sizeof(analog->name), "Analog %d-axis %d-button",
	412	+ hweight8(analog->mask & ANALOG_AXES_STD),
	413	+ hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
	414	+ hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
415	415
416	416	if (analog->mask & ANALOG_HATS_ALL)
417		- sprintf(analog->name, "%s %d-hat",
418		- analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
	417	+ snprintf(analog->name, sizeof(analog->name), "%s %d-hat",
	418	+ analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
419	419
420	420	if (analog->mask & ANALOG_HAT_FCS)
421		- strcat(analog->name, " FCS");
	421	+ strlcat(analog->name, " FCS", sizeof(analog->name));
422	422	if (analog->mask & ANALOG_ANY_CHF)
423		- strcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF");
	423	+ strlcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF",
	424	+ sizeof(analog->name));
424	425
425		- strcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick");
	426	+ strlcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick",
	427	+ sizeof(analog->name));
426	428	}
427	429
428	430	/*
...	...	@@ -435,7 +437,8 @@
435	437	int i, j, t, v, w, x, y, z;
436	438
437	439	analog_name(analog);
438		- sprintf(analog->phys, "%s/input%d", port->gameport->phys, index);
	440	+ snprintf(analog->phys, sizeof(analog->phys),
	441	+ "%s/input%d", port->gameport->phys, index);
439	442	analog->buttons = (analog->mask & ANALOG_GAMEPAD) ? analog_pad_btn : analog_joy_btn;
440	443
441	444	analog->dev = input_dev = input_allocate_device();
...	...	@@ -202,7 +202,8 @@
202	202	goto fail3;
203	203	}
204	204
205		- sprintf(cobra->phys[i], "%s/input%d", gameport->phys, i);
	205	+ snprintf(cobra->phys[i], sizeof(cobra->phys[i]),
	206	+ "%s/input%d", gameport->phys, i);
206	207
207	208	input_dev->name = "Creative Labs Blaster GamePad Cobra";
208	209	input_dev->phys = cobra->phys[i];
...	...	@@ -620,7 +620,8 @@
620	620	goto err_unreg_devs;
621	621	}
622	622
623		- sprintf(db9->phys[i], "%s/input%d", db9->pd->port->name, i);
	623	+ snprintf(db9->phys[i], sizeof(db9->phys[i]),
	624	+ "%s/input%d", db9->pd->port->name, i);
624	625
625	626	input_dev->name = db9_mode->name;
626	627	input_dev->phys = db9->phys[i];
...	...	@@ -761,7 +761,8 @@
761	761	if (!pads[i])
762	762	continue;
763	763
764		- sprintf(gc->phys[i], "%s/input%d", gc->pd->port->name, i);
	764	+ snprintf(gc->phys[i], sizeof(gc->phys[i]),
	765	+ "%s/input%d", gc->pd->port->name, i);
765	766	err = gc_setup_pad(gc, i, pads[i]);
766	767	if (err)
767	768	goto err_unreg_devs;
...	...	@@ -298,7 +298,7 @@
298	298	gameport_set_poll_handler(gameport, gf2k_poll);
299	299	gameport_set_poll_interval(gameport, 20);
300	300
301		- sprintf(gf2k->phys, "%s/input0", gameport->phys);
	301	+ snprintf(gf2k->phys, sizeof(gf2k->phys), "%s/input0", gameport->phys);
302	302
303	303	gf2k->length = gf2k_lens[gf2k->id];
304	304
...	...	@@ -354,7 +354,8 @@
354	354	goto fail3;
355	355	}
356	356
357		- sprintf(grip->phys[i], "%s/input%d", gameport->phys, i);
	357	+ snprintf(grip->phys[i], sizeof(grip->phys[i]),
	358	+ "%s/input%d", gameport->phys, i);
358	359
359	360	input_dev->name = grip_name[grip->mode[i]];
360	361	input_dev->phys = grip->phys[i];
...	...	@@ -222,7 +222,7 @@
222	222	gameport_set_poll_handler(gameport, guillemot_poll);
223	223	gameport_set_poll_interval(gameport, 20);
224	224
225		- sprintf(guillemot->phys, "%s/input0", gameport->phys);
	225	+ snprintf(guillemot->phys, sizeof(guillemot->phys), "%s/input0", gameport->phys);
226	226	guillemot->type = guillemot_type + i;
227	227
228	228	input_dev->name = guillemot_type[i].name;
...	...	@@ -251,7 +251,7 @@
251	251	gameport_set_poll_handler(gameport, interact_poll);
252	252	gameport_set_poll_interval(gameport, 20);
253	253
254		- sprintf(interact->phys, "%s/input0", gameport->phys);
	254	+ snprintf(interact->phys, sizeof(interact->phys), "%s/input0", gameport->phys);
255	255
256	256	interact->type = i;
257	257	interact->length = interact_type[i].length;
...	...	@@ -162,7 +162,7 @@
162	162	goto fail;
163	163
164	164	magellan->dev = input_dev;
165		- sprintf(magellan->phys, "%s/input0", serio->phys);
	165	+ snprintf(magellan->phys, sizeof(magellan->phys), "%s/input0", serio->phys);
166	166
167	167	input_dev->name = "LogiCad3D Magellan / SpaceMouse";
168	168	input_dev->phys = magellan->phys;