HID: roccat: potential out of bounds in pyra_sysfs_write_settings()
commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab upstream. This is a static checker fix. We write some binary settings to the sysfs file. One of the settings is the "->startup_profile". There isn't any checking to make sure it fits into the pyra->profile_settings[] array in the profile_activated() function. I added a check to pyra_sysfs_write_settings() in both places because I wasn't positive that the other callers were correct. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
32b57c08f4
commit
94bb429ef6
|
@ -35,6 +35,8 @@ static struct class *pyra_class;
|
|||
static void profile_activated(struct pyra_device *pyra,
|
||||
unsigned int new_profile)
|
||||
{
|
||||
if (new_profile >= ARRAY_SIZE(pyra->profile_settings))
|
||||
return;
|
||||
pyra->actual_profile = new_profile;
|
||||
pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi;
|
||||
}
|
||||
|
@ -236,9 +238,11 @@ static ssize_t pyra_sysfs_write_settings(struct file *fp,
|
|||
if (off != 0 || count != PYRA_SIZE_SETTINGS)
|
||||
return -EINVAL;
|
||||
|
||||
mutex_lock(&pyra->pyra_lock);
|
||||
|
||||
settings = (struct pyra_settings const *)buf;
|
||||
if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings))
|
||||
return -EINVAL;
|
||||
|
||||
mutex_lock(&pyra->pyra_lock);
|
||||
|
||||
retval = pyra_set_settings(usb_dev, settings);
|
||||
if (retval) {
|
||||
|
|
Loading…
Reference in New Issue