Commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab
Committed by
Jiri Kosina
Jiri Kosina
1 parent
2bacedada6
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
HID: roccat: potential out of bounds in pyra_sysfs_write_settings()
This is a static checker fix. We write some binary settings to the sysfs file. One of the settings is the "->startup_profile". There isn't any checking to make sure it fits into the pyra->profile_settings[] array in the profile_activated() function. I added a check to pyra_sysfs_write_settings() in both places because I wasn't positive that the other callers were correct. Cc: <stable@vger.kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Showing 1 changed file with 6 additions and 2 deletions Side-by-side Diff
drivers/hid/hid-roccat-pyra.c
| ... | ... | @@ -35,6 +35,8 @@ |
| 35 | 35 | static void profile_activated(struct pyra_device *pyra, |
| 36 | 36 | unsigned int new_profile) |
| 37 | 37 | { |
| 38 | + if (new_profile >= ARRAY_SIZE(pyra->profile_settings)) | |
| 39 | + return; | |
| 38 | 40 | pyra->actual_profile = new_profile; |
| 39 | 41 | pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi; |
| 40 | 42 | } |
| 41 | 43 | |
| ... | ... | @@ -257,9 +259,11 @@ |
| 257 | 259 | if (off != 0 || count != PYRA_SIZE_SETTINGS) |
| 258 | 260 | return -EINVAL; |
| 259 | 261 | |
| 260 | - mutex_lock(&pyra->pyra_lock); | |
| 261 | - | |
| 262 | 262 | settings = (struct pyra_settings const *)buf; |
| 263 | + if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings)) | |
| 264 | + return -EINVAL; | |
| 265 | + | |
| 266 | + mutex_lock(&pyra->pyra_lock); | |
| 263 | 267 | |
| 264 | 268 | retval = pyra_set_settings(usb_dev, settings); |
| 265 | 269 | if (retval) { |
