[PATCH] USB: out of bounds access in hiddev_cleanup

hiddev_table[] is an array of pointers. the minor number is used as an offset. hiddev minors start either with zero, or with 96. If they start with 96, the offset must be reduced by HIDDEV_MINOR_BASE because only 16 minors are available. unplugging a hiddevice will zero data outside the hiddev_table array. this was spotted by Takashi Iwai.

[PATCH] USB: out of bounds access in hiddev_cleanup
hiddev_table[] is an array of pointers. the minor number is used as an offset. hiddev minors start either with zero, or with 96. If they start with 96, the offset must be reduced by HIDDEV_MINOR_BASE because only 16 minors are available. unplugging a hiddevice will zero data outside the hiddev_table array. this was spotted by Takashi Iwai.
3a386413 · Olaf Hering · Greg Kroah-Hartman · 6dbb845a · 3a386413
Commit 3a386413 authored May 24, 2004 by Olaf Hering Committed by Greg Kroah-Hartman May 24, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/usb/input/hiddev.c drivers/usb/input/hiddev.c +1 -1

No files found.
--- a/drivers/usb/input/hiddev.c
+++ b/drivers/usb/input/hiddev.c
@@ -232,7 +232,7 @@ static int hiddev_fasync(int fd, struct file *file, int on)
 static struct usb_class_driver hiddev_class;
 static void hiddev_cleanup(struct hiddev *hiddev)
 {
-	hiddev_table[hiddev->hid->minor] = NULL;
+	hiddev_table[hiddev->hid->minor - HIDDEV_MINOR_BASE] = NULL;
 	usb_deregister_dev(hiddev->hid->intf, &hiddev_class);
 	kfree(hiddev);
 }