Commit 7eb07124 authored by Vojtech Pavlik's avatar Vojtech Pavlik

This fixes a possible buffer overflow in hid-core.c in case a

device would have very long string descriptors (vendor and device
name.)
parent afae6f7c
...@@ -1396,12 +1396,12 @@ static struct hid_device *usb_hid_configure(struct usb_device *dev, int ifnum) ...@@ -1396,12 +1396,12 @@ static struct hid_device *usb_hid_configure(struct usb_device *dev, int ifnum)
if (usb_string(dev, dev->descriptor.iManufacturer, buf, 64) > 0) { if (usb_string(dev, dev->descriptor.iManufacturer, buf, 64) > 0) {
strcat(hid->name, buf); strcat(hid->name, buf);
if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0) if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0)
sprintf(hid->name, "%s %s", hid->name, buf); snprintf(hid->name, 64, "%s %s", hid->name, buf);
} else } else
sprintf(hid->name, "%04x:%04x", dev->descriptor.idVendor, dev->descriptor.idProduct); snprintf(hid->name, 64, "%04x:%04x", dev->descriptor.idVendor, dev->descriptor.idProduct);
usb_make_path(dev, buf, 63); usb_make_path(dev, buf, 64);
sprintf(hid->phys, "%s/input%d", buf, ifnum); snprintf(hid->phys, 64, "%s/input%d", buf, ifnum);
if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0) if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0)
hid->uniq[0] = 0; hid->uniq[0] = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment