Peter Bartosch wrote:
Hello all,
i think i found a possible buffer overflow in hid-core (2.6.10-rc2):
Agreed, and sorry it took so long to reply/patch this.
(from 2004-DEC-01)
when i interpret this code right, the buffer (buf) will overflow when
the iManufacturer stringlength is 0 and the iProduct stringlength
is > 64!
Thanks, here's a patch for it.
--
Fix potential buffer overflow (by a device descriptor):
buf size is only 64 bytes.
Signed-off-by: Randy Dunlap <[EMAIL PROTECTED]>
diffstat:=
drivers/usb/input/hid-core.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
Fix potential buffer overflow (by a device descriptor):
buf size is only 64 bytes.
Signed-off-by: Randy Dunlap <[EMAIL PROTECTED]>
diffstat:=
drivers/usb/input/hid-core.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
diff -Naurp ./drivers/usb/input/hid-core.c~hid_buf_over ./drivers/usb/input/hid-core.c
--- ./drivers/usb/input/hid-core.c~hid_buf_over 2005-01-22 17:11:12.000000000 -0800
+++ ./drivers/usb/input/hid-core.c 2005-01-29 19:04:18.000000000 -0800
@@ -1727,7 +1727,7 @@ static struct hid_device *usb_hid_config
strcat(hid->name, buf);
if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0)
snprintf(hid->name, 64, "%s %s", hid->name, buf);
- } else if (usb_string(dev, dev->descriptor.iProduct, buf, 128) > 0) {
+ } else if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0) {
snprintf(hid->name, 128, "%s", buf);
} else
snprintf(hid->name, 128, "%04x:%04x",
