* drivers/input/touchscreen/gunze.c: gunze_process_packet: invalid array access
@ 2005-03-23 1:26 Adrian Bunk
2005-03-24 0:41 ` Dmitry Torokhov
0 siblings, 1 reply; 2+ messages in thread
From: Adrian Bunk @ 2005-03-23 1:26 UTC (permalink / raw)
To: vojtech; +Cc: linux-input, linux-kernel
The Coverity checker found the following bug in the function
gunze_process_packet in drivers/input/touchscreen/gunze.c:
<-- snip -->
...
#define GUNZE_MAX_LENGTH 10
...
struct gunze {
...
unsigned char data[GUNZE_MAX_LENGTH];
...
};
...
static void gunze_process_packet(struct gunze* gunze, struct pt_regs *regs)
...
gunze->data[10] = 0;
...
<-- snip -->
The bug is obvious, but for a correct solution someone should know this
code better than I do.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: drivers/input/touchscreen/gunze.c: gunze_process_packet: invalid array access
2005-03-23 1:26 drivers/input/touchscreen/gunze.c: gunze_process_packet: invalid array access Adrian Bunk
@ 2005-03-24 0:41 ` Dmitry Torokhov
0 siblings, 0 replies; 2+ messages in thread
From: Dmitry Torokhov @ 2005-03-24 0:41 UTC (permalink / raw)
To: Adrian Bunk; +Cc: vojtech, linux-input, linux-kernel
On Tuesday 22 March 2005 20:26, Adrian Bunk wrote:
> The Coverity checker found the following bug in the function
> gunze_process_packet in drivers/input/touchscreen/gunze.c:
>
>
> <-- snip -->
>
> ...
> #define GUNZE_MAX_LENGTH 10
> ...
> struct gunze {
> ...
> unsigned char data[GUNZE_MAX_LENGTH];
> ...
> };
> ...
> static void gunze_process_packet(struct gunze* gunze, struct pt_regs *regs)
> ...
> gunze->data[10] = 0;
> ...
>
> <-- snip -->
>
>
> The bug is obvious, but for a correct solution someone should know this
> code better than I do.
>
Ahh, it looks like it was just an attempt to null-terminate packet for
printk. The patch below should do the trick.
--
Dmitry
===================================================================
Input: gunze - fix out-of-bound array access reported by Adrian Bunk.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
gunze.c | 3 +--
1 files changed, 1 insertion(+), 2 deletions(-)
Index: dtor/drivers/input/touchscreen/gunze.c
===================================================================
--- dtor.orig/drivers/input/touchscreen/gunze.c
+++ dtor/drivers/input/touchscreen/gunze.c
@@ -68,8 +68,7 @@ static void gunze_process_packet(struct
if (gunze->idx != GUNZE_MAX_LENGTH || gunze->data[5] != ',' ||
(gunze->data[0] != 'T' && gunze->data[0] != 'R')) {
- gunze->data[10] = 0;
- printk(KERN_WARNING "gunze.c: bad packet: >%s<\n", gunze->data);
+ printk(KERN_WARNING "gunze.c: bad packet: >%.*s<\n", GUNZE_MAX_LENGTH, gunze->data);
return;
}
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-03-24 0:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-23 1:26 drivers/input/touchscreen/gunze.c: gunze_process_packet: invalid array access Adrian Bunk
2005-03-24 0:41 ` Dmitry Torokhov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox