one more .27 patch

author Greg Kroah-Hartman <gregkh@suse.de>

Tue, 11 Nov 2008 23:56:59 +0000 (15:56 -0800)

committer Greg Kroah-Hartman <gregkh@suse.de>

Tue, 11 Nov 2008 23:56:59 +0000 (15:56 -0800)
author Greg Kroah-Hartman <gregkh@suse.de>
Tue, 11 Nov 2008 23:56:59 +0000 (15:56 -0800)
committer Greg Kroah-Hartman <gregkh@suse.de>
Tue, 11 Nov 2008 23:56:59 +0000 (15:56 -0800)
diff --git a/queue-2.6.27/hid-fix-incorrent-length-condition-in-hidraw_write.patch b/queue-2.6.27/hid-fix-incorrent-length-condition-in-hidraw_write.patch

new file mode 100644 (file)

index 0000000..0c01777
--- /dev/null
+++ b/queue-2.6.27/hid-fix-incorrent-length-condition-in-hidraw_write.patch
@@ -0,0 +1,44 @@
+From jkosina@suse.cz  Tue Nov 11 15:52:41 2008
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 11 Nov 2008 23:45:38 +0100 (CET)
+Subject: HID: fix incorrent length condition in hidraw_write()
+To: stable@kernel.org
+Cc: Paul Stoffregen <paul@pjrc.com>
+Message-ID: <alpine.LNX.1.10.0811112344180.24889@jikos.suse.cz>
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+upstream commit 2b107d629dc0c35de606bb7b010b829cd247a93a
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+The bound check on the buffer length
+
+       if (count > HID_MIN_BUFFER_SIZE)
+
+is of course incorrent, the proper check is
+
+       if (count > HID_MAX_BUFFER_SIZE)
+
+Fix it.
+
+Reported-by: Jerry Ryle <jerry@mindtribe.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Cc: Paul Stoffregen <paul@pjrc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hid/hidraw.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file 
+       if (!dev->hid_output_raw_report)
+               return -ENODEV;
+ 
+-      if (count > HID_MIN_BUFFER_SIZE) {
++      if (count > HID_MAX_BUFFER_SIZE) {
+               printk(KERN_WARNING "hidraw: pid %d passed too large report\n",
+                               task_pid_nr(current));
+               return -EINVAL;
diff --git a/queue-2.6.27/series b/queue-2.6.27/series

index 1b6e7f28e449f493d5cb726ae7ccf6cad63998bf..7eca95c871d994116837a4321c51f4c4cf9af3bf 100644 (file)
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -46,3 +46,4 @@ mmc-increase-sd-write-timeout-for-crappy-cards.patch
  hfsplus-fix-buffer-overflow-with-a-corrupted-image.patch
  hfsplus-check-read_mapping_page-return-value.patch
  hfs-fix-namelength-memory-corruption.patch
+hid-fix-incorrent-length-condition-in-hidraw_write.patch
author	Greg Kroah-Hartman <gregkh@suse.de>
	Tue, 11 Nov 2008 23:56:59 +0000 (15:56 -0800)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Tue, 11 Nov 2008 23:56:59 +0000 (15:56 -0800)
queue-2.6.27/hid-fix-incorrent-length-condition-in-hidraw_write.patch	[new file with mode: 0644]	patch \| blob
queue-2.6.27/series		patch \| blob \| blame \| history