Commit 08ffce45 authored by Dmitry Torokhov's avatar Dmitry Torokhov

Input: fix potential overflows in driver/input/mouse

Change all sprintfs into snprintfs to make sure we won't stomp on
data adjacent to our buffers.

Noticed by Wouter Paesen <wouter@kangaroot.net>
Signed-off-by: default avatarDmitry Torokhov <dtor@mail.ru>
parent 4854c7b2
...@@ -470,7 +470,7 @@ int alps_init(struct psmouse *psmouse) ...@@ -470,7 +470,7 @@ int alps_init(struct psmouse *psmouse)
dev1->keybit[LONG(BTN_BACK)] |= BIT(BTN_BACK); dev1->keybit[LONG(BTN_BACK)] |= BIT(BTN_BACK);
} }
sprintf(priv->phys, "%s/input1", psmouse->ps2dev.serio->phys); snprintf(priv->phys, sizeof(priv->phys), "%s/input1", psmouse->ps2dev.serio->phys);
dev2->phys = priv->phys; dev2->phys = priv->phys;
dev2->name = (priv->i->flags & ALPS_DUALPOINT) ? "DualPoint Stick" : "PS/2 Mouse"; dev2->name = (priv->i->flags & ALPS_DUALPOINT) ? "DualPoint Stick" : "PS/2 Mouse";
dev2->id.bustype = BUS_I8042; dev2->id.bustype = BUS_I8042;
......
...@@ -1057,8 +1057,8 @@ static int psmouse_switch_protocol(struct psmouse *psmouse, struct psmouse_proto ...@@ -1057,8 +1057,8 @@ static int psmouse_switch_protocol(struct psmouse *psmouse, struct psmouse_proto
if (psmouse->resync_time && psmouse->poll(psmouse)) if (psmouse->resync_time && psmouse->poll(psmouse))
psmouse->resync_time = 0; psmouse->resync_time = 0;
sprintf(psmouse->devname, "%s %s %s", snprintf(psmouse->devname, sizeof(psmouse->devname), "%s %s %s",
psmouse_protocol_by_type(psmouse->type)->name, psmouse->vendor, psmouse->name); psmouse_protocol_by_type(psmouse->type)->name, psmouse->vendor, psmouse->name);
input_dev->name = psmouse->devname; input_dev->name = psmouse->devname;
input_dev->phys = psmouse->phys; input_dev->phys = psmouse->phys;
...@@ -1099,7 +1099,7 @@ static int psmouse_connect(struct serio *serio, struct serio_driver *drv) ...@@ -1099,7 +1099,7 @@ static int psmouse_connect(struct serio *serio, struct serio_driver *drv)
ps2_init(&psmouse->ps2dev, serio); ps2_init(&psmouse->ps2dev, serio);
INIT_WORK(&psmouse->resync_work, psmouse_resync, psmouse); INIT_WORK(&psmouse->resync_work, psmouse_resync, psmouse);
psmouse->dev = input_dev; psmouse->dev = input_dev;
sprintf(psmouse->phys, "%s/input0", serio->phys); snprintf(psmouse->phys, sizeof(psmouse->phys), "%s/input0", serio->phys);
psmouse_set_state(psmouse, PSMOUSE_INITIALIZING); psmouse_set_state(psmouse, PSMOUSE_INITIALIZING);
......
...@@ -254,7 +254,7 @@ static int sermouse_connect(struct serio *serio, struct serio_driver *drv) ...@@ -254,7 +254,7 @@ static int sermouse_connect(struct serio *serio, struct serio_driver *drv)
goto fail; goto fail;
sermouse->dev = input_dev; sermouse->dev = input_dev;
sprintf(sermouse->phys, "%s/input0", serio->phys); snprintf(sermouse->phys, sizeof(sermouse->phys), "%s/input0", serio->phys);
sermouse->type = serio->id.proto; sermouse->type = serio->id.proto;
input_dev->name = sermouse_protocols[sermouse->type]; input_dev->name = sermouse_protocols[sermouse->type];
......
...@@ -153,22 +153,25 @@ vsxxxaa_detection_done (struct vsxxxaa *mouse) ...@@ -153,22 +153,25 @@ vsxxxaa_detection_done (struct vsxxxaa *mouse)
{ {
switch (mouse->type) { switch (mouse->type) {
case 0x02: case 0x02:
sprintf (mouse->name, "DEC VSXXX-AA/-GA mouse"); strlcpy (mouse->name, "DEC VSXXX-AA/-GA mouse",
sizeof (mouse->name));
break; break;
case 0x04: case 0x04:
sprintf (mouse->name, "DEC VSXXX-AB digitizer"); strlcpy (mouse->name, "DEC VSXXX-AB digitizer",
sizeof (mouse->name));
break; break;
default: default:
sprintf (mouse->name, "unknown DEC pointer device " snprintf (mouse->name, sizeof (mouse->name),
"(type = 0x%02x)", mouse->type); "unknown DEC pointer device (type = 0x%02x)",
mouse->type);
break; break;
} }
printk (KERN_INFO "Found %s version 0x%02x from country 0x%02x " printk (KERN_INFO
"on port %s\n", mouse->name, mouse->version, "Found %s version 0x%02x from country 0x%02x on port %s\n",
mouse->country, mouse->phys); mouse->name, mouse->version, mouse->country, mouse->phys);
} }
/* /*
...@@ -503,8 +506,9 @@ vsxxxaa_connect (struct serio *serio, struct serio_driver *drv) ...@@ -503,8 +506,9 @@ vsxxxaa_connect (struct serio *serio, struct serio_driver *drv)
mouse->dev = input_dev; mouse->dev = input_dev;
mouse->serio = serio; mouse->serio = serio;
sprintf (mouse->name, "DEC VSXXX-AA/-GA mouse or VSXXX-AB digitizer"); strlcat (mouse->name, "DEC VSXXX-AA/-GA mouse or VSXXX-AB digitizer",
sprintf (mouse->phys, "%s/input0", serio->phys); sizeof (mouse->name));
snprintf (mouse->phys, sizeof (mouse->phys), "%s/input0", serio->phys);
input_dev->name = mouse->name; input_dev->name = mouse->name;
input_dev->phys = mouse->phys; input_dev->phys = mouse->phys;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment