From: Dan Carpenter <dan.carpenter@oracle.com>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org
Subject: re: [PATCH] drivers/input/joystick: convert to dynamic input_dev allocation
Date: Tue, 28 Jul 2015 20:00:24 +0300 [thread overview]
Message-ID: <20150728170024.GD21317@mwanda> (raw)
Hello Dmitry Torokhov,
The patch 17dd3f0f7aa7: "[PATCH] drivers/input/joystick: convert to
dynamic input_dev allocation" from Sep 15, 2005, leads to the
following static checker warning:
drivers/input/joystick/turbografx.c:235 tgfx_probe()
error: buffer overflow 'tgfx_buttons' 5 <= 5
drivers/input/joystick/turbografx.c
195 for (i = 0; i < n_devs; i++) {
196 if (n_buttons[i] < 1)
197 continue;
198
199 if (n_buttons[i] > 6) {
^^^^^^^^^^^^^^^^
Possibly off by one. >= 6.
200 printk(KERN_ERR "turbografx.c: Invalid number of buttons %d\n", n_buttons[i]);
201 err = -EINVAL;
202 goto err_unreg_devs;
203 }
204
205 tgfx->dev[i] = input_dev = input_allocate_device();
206 if (!input_dev) {
207 printk(KERN_ERR "turbografx.c: Not enough memory for input device\n");
208 err = -ENOMEM;
209 goto err_unreg_devs;
210 }
211
212 tgfx->sticks |= (1 << i);
213 snprintf(tgfx->name[i], sizeof(tgfx->name[i]),
214 "TurboGraFX %d-button Multisystem joystick", n_buttons[i]);
215 snprintf(tgfx->phys[i], sizeof(tgfx->phys[i]),
216 "%s/input%d", tgfx->pd->port->name, i);
217
218 input_dev->name = tgfx->name[i];
219 input_dev->phys = tgfx->phys[i];
220 input_dev->id.bustype = BUS_PARPORT;
221 input_dev->id.vendor = 0x0003;
222 input_dev->id.product = n_buttons[i];
223 input_dev->id.version = 0x0100;
224
225 input_set_drvdata(input_dev, tgfx);
226
227 input_dev->open = tgfx_open;
228 input_dev->close = tgfx_close;
229
230 input_dev->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_ABS);
231 input_set_abs_params(input_dev, ABS_X, -1, 1, 0, 0);
232 input_set_abs_params(input_dev, ABS_Y, -1, 1, 0, 0);
233
234 for (j = 0; j < n_buttons[i]; j++)
235 set_bit(tgfx_buttons[j], input_dev->keybit);
^^^^^^^^^^^^^^^
Leading to an off by one write here. This only has 5 elements.
236
regards,
dan carpenter
next reply other threads:[~2015-07-28 17:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-28 17:00 Dan Carpenter [this message]
2015-07-30 18:04 ` [PATCH] drivers/input/joystick: convert to dynamic input_dev allocation Dmitry Torokhov
2015-07-30 19:15 ` Dan Carpenter
2015-07-30 19:38 ` Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150728170024.GD21317@mwanda \
--to=dan.carpenter@oracle.com \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.