From: Jan Kratochvil <[EMAIL PROTECTED]>
To: Dmitry Torokhov <[EMAIL PROTECTED]>
Cc: Jiri Kosina <[EMAIL PROTECTED]>, Anssi Hannula <[EMAIL PROTECTED]>,
[email protected], [EMAIL PROTECTED]
Subject: [PATCH] playing ff effect with code greater then FF_EFFECTS can cause
buffer overflow
Hi,
i found a bug in ff-memless.c so i fixed it. As you can see I am
doing check if effect_id is less then 0, but I am aware that it is useless
because effect_id is actually input_event.code which is __u16, but on the
other side as long as the effect_id is int I feel it is correct to check
whether it is > 0.
Jan.
From: Jan Kratochvil <[EMAIL PROTECTED]>
input: playing ff effect with code greater then FF_EFFECTS can cause buffer
overflow
To reproduce this bug modify fftest to play effect with code > 15 and
try to play this effect on device which is implemented using ff-memless.
ml_ff_playback() will try to access ml->states array over the boundary (array
is statically allocated to contain FF_EFFECTS fields).
Signed-off-by: Jan Kratochvil <[EMAIL PROTECTED]>
Signed-off-by: Jiri Kosina <[EMAIL PROTECTED]>
---
drivers/input/ff-memless.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/drivers/input/ff-memless.c b/drivers/input/ff-memless.c
index d226d93..bc546a6 100644
--- a/drivers/input/ff-memless.c
+++ b/drivers/input/ff-memless.c
@@ -396,7 +396,14 @@ static void ml_ff_set_gain(struct input_
static int ml_ff_playback(struct input_dev *dev, int effect_id, int value)
{
struct ml_device *ml = dev->ff->private;
- struct ml_effect_state *state = &ml->states[effect_id];
+ struct ml_effect_state *state;
+
+ if (effect_id < 0 || effect_id >= FF_MEMLESS_EFFECTS) {
+ printk(KERN_ERR "Effect id %d is out of range!\n", effect_id);
+ return -EINVAL;
+ }
+
+ state = &ml->states[effect_id];
spin_lock_bh(&ml->timer_lock);
--
1.4.3.4
