From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-input@vger.kernel.org
Subject: Re: [PATCH] drivers/input/joystick: convert to dynamic input_dev allocation
Date: Thu, 30 Jul 2015 11:04:47 -0700 [thread overview]
Message-ID: <20150730180447.GG13165@dtor-ws> (raw)
In-Reply-To: <20150728170024.GD21317@mwanda>
On Tue, Jul 28, 2015 at 08:00:24PM +0300, Dan Carpenter wrote:
> Hello Dmitry Torokhov,
>
> The patch 17dd3f0f7aa7: "[PATCH] drivers/input/joystick: convert to
> dynamic input_dev allocation" from Sep 15, 2005, leads to the
> following static checker warning:
>
> drivers/input/joystick/turbografx.c:235 tgfx_probe()
> error: buffer overflow 'tgfx_buttons' 5 <= 5
>
> drivers/input/joystick/turbografx.c
> 195 for (i = 0; i < n_devs; i++) {
> 196 if (n_buttons[i] < 1)
> 197 continue;
> 198
> 199 if (n_buttons[i] > 6) {
> ^^^^^^^^^^^^^^^^
> Possibly off by one. >= 6.
How about this:
Input: turbografx - fix potential out of bound access
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Patch 17dd3f0f7aa7: "[PATCH] drivers/input/joystick: convert to dynamic
input_dev allocation" from Sep 15, 2005, leads to the following static
checker warning:
drivers/input/joystick/turbografx.c:235 tgfx_probe()
error: buffer overflow 'tgfx_buttons' 5 <= 5
drivers/input/joystick/turbografx.c
195 for (i = 0; i < n_devs; i++) {
196 if (n_buttons[i] < 1)
197 continue;
198
199 if (n_buttons[i] > 6) {
^^^^^^^^^^^^^^^^
Possibly off by one. >= 6.
Let's change the upper value to ARRAY_SIZE(tgfx_buttons) to ensure we do
not reach past the end of the array.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
drivers/input/joystick/turbografx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/input/joystick/turbografx.c b/drivers/input/joystick/turbografx.c
index 27b6a3c..891797a 100644
--- a/drivers/input/joystick/turbografx.c
+++ b/drivers/input/joystick/turbografx.c
@@ -196,7 +196,7 @@ static struct tgfx __init *tgfx_probe(int parport, int *n_buttons, int n_devs)
if (n_buttons[i] < 1)
continue;
- if (n_buttons[i] > 6) {
+ if (n_buttons[i] > ARRAY_SIZE(tgfx_buttons)) {
printk(KERN_ERR "turbografx.c: Invalid number of buttons %d\n", n_buttons[i]);
err = -EINVAL;
goto err_unreg_devs;
Thanks.
--
Dmitry
next prev parent reply other threads:[~2015-07-30 18:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-28 17:00 [PATCH] drivers/input/joystick: convert to dynamic input_dev allocation Dan Carpenter
2015-07-30 18:04 ` Dmitry Torokhov [this message]
2015-07-30 19:15 ` Dan Carpenter
2015-07-30 19:38 ` Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150730180447.GG13165@dtor-ws \
--to=dmitry.torokhov@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-input@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.