[RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow

[Wouter Paesen]

While strolling trough the sermouse driver for some example code, I
noticed 2 strange things happening there :

* In the sermouse_connect function an input device structure is
  allocated (input_allocate_device), which is not deallocated 
  in the sermouse_disconnect function.  
  
  If I understand this correctly someone repeatedly connecting and 
  disconnecting the mouse would leak input_dev structures.

* In the sermouse_connect function the phys member of the sermouse 
  structure (32 characters) is initialised with :

     sprintf(sermouse->phys, "%s/input0", serio->phys);

  Because serio->phys is also a 32 character field the sprintf could
  result in 39 characters being written to the sermouse->phys.

If my understanding of both these concepts is correct, this is a patch
to fix the problems.

Signed-off-by: Wouter Paesen <wouter@xxxxxxxxxxxxx>

--- a/drivers/input/mouse/sermouse.c	2006-06-15 08:47:47.000000000 +0200
+++ b/drivers/input/mouse/sermouse.c	2006-06-15 08:52:13.000000000 +0200
@@ -53,7 +53,7 @@
 	unsigned char count;
 	unsigned char type;
 	unsigned long last;
-	char phys[32];
+	char phys[39];
 };
 
 /*
@@ -233,6 +233,7 @@
 	serio_close(serio);
 	serio_set_drvdata(serio, NULL);
 	input_unregister_device(sermouse->dev);
+	input_free_device(sermouse->dev);
 	kfree(sermouse);
 }
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/