Commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab
Committed by
Jiri Kosina
1 parent
2bacedada6
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
HID: roccat: potential out of bounds in pyra_sysfs_write_settings()
This is a static checker fix. We write some binary settings to the sysfs file. One of the settings is the "->startup_profile". There isn't any checking to make sure it fits into the pyra->profile_settings[] array in the profile_activated() function. I added a check to pyra_sysfs_write_settings() in both places because I wasn't positive that the other callers were correct. Cc: <stable@vger.kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Showing 1 changed file with 6 additions and 2 deletions Side-by-side Diff
drivers/hid/hid-roccat-pyra.c
... | ... | @@ -35,6 +35,8 @@ |
35 | 35 | static void profile_activated(struct pyra_device *pyra, |
36 | 36 | unsigned int new_profile) |
37 | 37 | { |
38 | + if (new_profile >= ARRAY_SIZE(pyra->profile_settings)) | |
39 | + return; | |
38 | 40 | pyra->actual_profile = new_profile; |
39 | 41 | pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi; |
40 | 42 | } |
41 | 43 | |
... | ... | @@ -257,9 +259,11 @@ |
257 | 259 | if (off != 0 || count != PYRA_SIZE_SETTINGS) |
258 | 260 | return -EINVAL; |
259 | 261 | |
260 | - mutex_lock(&pyra->pyra_lock); | |
261 | - | |
262 | 262 | settings = (struct pyra_settings const *)buf; |
263 | + if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings)) | |
264 | + return -EINVAL; | |
265 | + | |
266 | + mutex_lock(&pyra->pyra_lock); | |
263 | 267 | |
264 | 268 | retval = pyra_set_settings(usb_dev, settings); |
265 | 269 | if (retval) { |