Re: [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow

From: Dmitry Torokhov
Date: Sun Jun 18 2006 - 00:31:36 EST

Next message: Chris Wedgwood: "Re: sound skips on 2.6.16.17"
Previous message: David Miller: "Re: tg3 timeouts with 2.6.17-rc6"
Next in thread: Wouter Paesen: "Re: [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 15 June 2006 06:47, Wouter Paesen wrote:
> While strolling trough the sermouse driver for some example code, I
> noticed 2 strange things happening there :
>
> * In the sermouse_connect function an input device structure is
> allocated (input_allocate_device), which is not deallocated
> in the sermouse_disconnect function.
>
> If I understand this correctly someone repeatedly connecting and
> disconnecting the mouse would leak input_dev structures.
>

No, input_free_device() should not be called after input_register_device()
returns successfully because input_dev will be freed automatically once
last reference to it is dropped.

> * In the sermouse_connect function the phys member of the sermouse
> structure (32 characters) is initialised with :
>
> sprintf(sermouse->phys, "%s/input0", serio->phys);
>
> Because serio->phys is also a 32 character field the sprintf could
> result in 39 characters being written to the sermouse->phys.
>

Right, we need to change it to use snprintf.

--
Dmitry
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wedgwood: "Re: sound skips on 2.6.16.17"
Previous message: David Miller: "Re: tg3 timeouts with 2.6.17-rc6"
Next in thread: Wouter Paesen: "Re: [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]