HID: roccat: potential out of bounds in pyra_sysfs_write_settings()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This is a static checker fix. We write some binary settings to the
sysfs file. One of the settings is the "->startup_profile". There
isn't any checking to make sure it fits into the
pyra->profile_settings[] array in the profile_activated() function.

I added a check to pyra_sysfs_write_settings() in both places because
I wasn't positive that the other callers were correct.

Cc: <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

authored by

Dan Carpenter and committed by

Jiri Kosina 11 years ago 606185b2 2bacedad

+6 -2

1 changed file

expand all

drivers

hid

hid-roccat-pyra.c

+6 -2

drivers/hid/hid-roccat-pyra.c

··· 35 35 static void profile_activated(struct pyra_device *pyra, 36 36 unsigned int new_profile) 37 37 { 38 + if (new_profile >= ARRAY_SIZE(pyra->profile_settings)) 39 + return; 38 40 pyra->actual_profile = new_profile; 39 41 pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi; 40 42 } ··· 259 257 if (off != 0 || count != PYRA_SIZE_SETTINGS) 260 258 return -EINVAL; 261 259 262 - mutex_lock(&pyra->pyra_lock); 263 - 264 260 settings = (struct pyra_settings const *)buf; 261 + if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings)) 262 + return -EINVAL; 263 + 264 + mutex_lock(&pyra->pyra_lock); 265 265 266 266 retval = pyra_set_settings(usb_dev, settings); 267 267 if (retval) {