Commit 08ffce45 authored by Dmitry Torokhov's avatar Dmitry Torokhov

Input: fix potential overflows in driver/input/mouse

Change all sprintfs into snprintfs to make sure we won't stomp on
data adjacent to our buffers.

Noticed by Wouter Paesen <wouter@kangaroot.net>
Signed-off-by: default avatarDmitry Torokhov <dtor@mail.ru>
parent 4854c7b2
......@@ -470,7 +470,7 @@ int alps_init(struct psmouse *psmouse)
dev1->keybit[LONG(BTN_BACK)] |= BIT(BTN_BACK);
}
sprintf(priv->phys, "%s/input1", psmouse->ps2dev.serio->phys);
snprintf(priv->phys, sizeof(priv->phys), "%s/input1", psmouse->ps2dev.serio->phys);
dev2->phys = priv->phys;
dev2->name = (priv->i->flags & ALPS_DUALPOINT) ? "DualPoint Stick" : "PS/2 Mouse";
dev2->id.bustype = BUS_I8042;
......
......@@ -1057,8 +1057,8 @@ static int psmouse_switch_protocol(struct psmouse *psmouse, struct psmouse_proto
if (psmouse->resync_time && psmouse->poll(psmouse))
psmouse->resync_time = 0;
sprintf(psmouse->devname, "%s %s %s",
psmouse_protocol_by_type(psmouse->type)->name, psmouse->vendor, psmouse->name);
snprintf(psmouse->devname, sizeof(psmouse->devname), "%s %s %s",
psmouse_protocol_by_type(psmouse->type)->name, psmouse->vendor, psmouse->name);
input_dev->name = psmouse->devname;
input_dev->phys = psmouse->phys;
......@@ -1099,7 +1099,7 @@ static int psmouse_connect(struct serio *serio, struct serio_driver *drv)
ps2_init(&psmouse->ps2dev, serio);
INIT_WORK(&psmouse->resync_work, psmouse_resync, psmouse);
psmouse->dev = input_dev;
sprintf(psmouse->phys, "%s/input0", serio->phys);
snprintf(psmouse->phys, sizeof(psmouse->phys), "%s/input0", serio->phys);
psmouse_set_state(psmouse, PSMOUSE_INITIALIZING);
......
......@@ -254,7 +254,7 @@ static int sermouse_connect(struct serio *serio, struct serio_driver *drv)
goto fail;
sermouse->dev = input_dev;
sprintf(sermouse->phys, "%s/input0", serio->phys);
snprintf(sermouse->phys, sizeof(sermouse->phys), "%s/input0", serio->phys);
sermouse->type = serio->id.proto;
input_dev->name = sermouse_protocols[sermouse->type];
......
......@@ -153,22 +153,25 @@ vsxxxaa_detection_done (struct vsxxxaa *mouse)
{
switch (mouse->type) {
case 0x02:
sprintf (mouse->name, "DEC VSXXX-AA/-GA mouse");
strlcpy (mouse->name, "DEC VSXXX-AA/-GA mouse",
sizeof (mouse->name));
break;
case 0x04:
sprintf (mouse->name, "DEC VSXXX-AB digitizer");
strlcpy (mouse->name, "DEC VSXXX-AB digitizer",
sizeof (mouse->name));
break;
default:
sprintf (mouse->name, "unknown DEC pointer device "
"(type = 0x%02x)", mouse->type);
snprintf (mouse->name, sizeof (mouse->name),
"unknown DEC pointer device (type = 0x%02x)",
mouse->type);
break;
}
printk (KERN_INFO "Found %s version 0x%02x from country 0x%02x "
"on port %s\n", mouse->name, mouse->version,
mouse->country, mouse->phys);
printk (KERN_INFO
"Found %s version 0x%02x from country 0x%02x on port %s\n",
mouse->name, mouse->version, mouse->country, mouse->phys);
}
/*
......@@ -503,8 +506,9 @@ vsxxxaa_connect (struct serio *serio, struct serio_driver *drv)
mouse->dev = input_dev;
mouse->serio = serio;
sprintf (mouse->name, "DEC VSXXX-AA/-GA mouse or VSXXX-AB digitizer");
sprintf (mouse->phys, "%s/input0", serio->phys);
strlcat (mouse->name, "DEC VSXXX-AA/-GA mouse or VSXXX-AB digitizer",
sizeof (mouse->name));
snprintf (mouse->phys, sizeof (mouse->phys), "%s/input0", serio->phys);
input_dev->name = mouse->name;
input_dev->phys = mouse->phys;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment