Commit 672bbf00 authored by Randy Dunlap's avatar Randy Dunlap Committed by Greg Kroah-Hartman

[PATCH] USB: hid-core: possible buffer overflow in hid-core.c

Peter Bartosch wrote:
> Hello all,
>
>
> i think i found a possible buffer overflow in hid-core (2.6.10-rc2):

Agreed, and sorry it took so long to reply/patch this.
(from 2004-DEC-01)

> when i interpret this code right, the buffer (buf) will overflow when
> the iManufacturer stringlength is 0 and the iProduct stringlength
> is > 64!

Thanks, here's a patch for it.

Fix potential buffer overflow (by a device descriptor):
buf size is only 64 bytes.
Signed-off-by: default avatarRandy Dunlap <rddunlap@osdl.org>
Signed-off-by: default avatarGreg Kroah-Hartman <greg@kroah.com>
parent 3caac896
......@@ -1740,7 +1740,7 @@ static struct hid_device *usb_hid_configure(struct usb_interface *intf)
strcat(hid->name, buf);
if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0)
snprintf(hid->name, 64, "%s %s", hid->name, buf);
} else if (usb_string(dev, dev->descriptor.iProduct, buf, 128) > 0) {
} else if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0) {
snprintf(hid->name, 128, "%s", buf);
} else
snprintf(hid->name, 128, "%04x:%04x",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment