From: Dan Carpenter Date: Fri, 9 Jan 2015 12:32:31 +0000 (+0300) Subject: HID: roccat: potential out of bounds in pyra_sysfs_write_settings() X-Git-Tag: v3.4.107~83 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=125943629949d30464bc0d02d4554f4f4938c220;p=thirdparty%2Fkernel%2Fstable.git HID: roccat: potential out of bounds in pyra_sysfs_write_settings() commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab upstream. This is a static checker fix. We write some binary settings to the sysfs file. One of the settings is the "->startup_profile". There isn't any checking to make sure it fits into the pyra->profile_settings[] array in the profile_activated() function. I added a check to pyra_sysfs_write_settings() in both places because I wasn't positive that the other callers were correct. Signed-off-by: Dan Carpenter Signed-off-by: Jiri Kosina [lizf: Backported to 3.4: define the variable @settings] Signed-off-by: Zefan Li --- diff --git a/drivers/hid/hid-roccat-pyra.c b/drivers/hid/hid-roccat-pyra.c index df05c1b1064ff..53466474b4202 100644 --- a/drivers/hid/hid-roccat-pyra.c +++ b/drivers/hid/hid-roccat-pyra.c @@ -35,6 +35,8 @@ static struct class *pyra_class; static void profile_activated(struct pyra_device *pyra, unsigned int new_profile) { + if (new_profile >= ARRAY_SIZE(pyra->profile_settings)) + return; pyra->actual_profile = new_profile; pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi; } @@ -299,10 +301,15 @@ static ssize_t pyra_sysfs_write_settings(struct file *fp, int retval = 0; int difference; struct pyra_roccat_report roccat_report; + struct pyra_settings const *settings; if (off != 0 || count != sizeof(struct pyra_settings)) return -EINVAL; + settings = (struct pyra_settings const *)buf; + if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings)) + return -EINVAL; + mutex_lock(&pyra->pyra_lock); difference = memcmp(buf, &pyra->settings, sizeof(struct pyra_settings)); if (difference) {