Re: [RFC][PATCH 2.6.17-rc6] input/mouse/sermouse: fix memleak and potential buffer overflow

From: Rolf Eike Beer
Date: Wed Jun 21 2006 - 12:22:30 EST


Wouter Paesen wrote:
>On Sun, Jun 18, 2006 at 12:24:31AM -0400, Dmitry Torokhov wrote:
>> > Because serio->phys is also a 32 character field the sprintf could
>> > result in 39 characters being written to the sermouse->phys.
>>
>> Right, we need to change it to use snprintf.
>
>Thanks, this patch will do just that.
>Still, keeping the array 39 characters long will prevent truncation of the
> string.
>
>Signed-off-by: Wouter Paesen <wouter@xxxxxxxxxxxxx>
>
>--- linux-2.6.17-rc6.orig/drivers/input/mouse/sermouse.c 2006-06-20
> 08:31:12.000000000 +0200 +++
> linux-2.6.17-rc6/drivers/input/mouse/sermouse.c 2006-06-20
> 08:31:41.000000000 +0200 @@ -53,7 +53,7 @@ struct sermouse {
> unsigned char count;
> unsigned char type;
> unsigned long last;
>- char phys[32];
>+ char phys[39];
> };
>
> /*
>@@ -254,7 +254,7 @@ static int sermouse_connect(struct serio
> goto fail;
>
> sermouse->dev = input_dev;
>- sprintf(sermouse->phys, "%s/input0", serio->phys);
>+ snprintf(sermouse->phys, 39, "%s/input0", serio->phys);

This adds a magic number here. I suggest using sizeof(sermouse->phys) instead.

Eike

Attachment: pgp00000.pgp
Description: PGP signature