Commit 10ca4c0a authored by Dmitry Torokhov's avatar Dmitry Torokhov

Input: fix potential overflows in driver/input/joystick

Change all sprintfs into snprintfs to make sure we won't stomp on
data adjacent to our buffers.
Signed-off-by: default avatarDmitry Torokhov <dtor@mail.ru>
parent 08ffce45
...@@ -306,7 +306,7 @@ static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv) ...@@ -306,7 +306,7 @@ static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv)
gameport_set_poll_handler(gameport, a3d_poll); gameport_set_poll_handler(gameport, a3d_poll);
gameport_set_poll_interval(gameport, 20); gameport_set_poll_interval(gameport, 20);
sprintf(a3d->phys, "%s/input0", gameport->phys); snprintf(a3d->phys, sizeof(a3d->phys), "%s/input0", gameport->phys);
input_dev->name = a3d_names[a3d->mode]; input_dev->name = a3d_names[a3d->mode];
input_dev->phys = a3d->phys; input_dev->phys = a3d->phys;
......
...@@ -408,21 +408,23 @@ static void analog_calibrate_timer(struct analog_port *port) ...@@ -408,21 +408,23 @@ static void analog_calibrate_timer(struct analog_port *port)
static void analog_name(struct analog *analog) static void analog_name(struct analog *analog)
{ {
sprintf(analog->name, "Analog %d-axis %d-button", snprintf(analog->name, sizeof(analog->name), "Analog %d-axis %d-button",
hweight8(analog->mask & ANALOG_AXES_STD), hweight8(analog->mask & ANALOG_AXES_STD),
hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 + hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4); hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
if (analog->mask & ANALOG_HATS_ALL) if (analog->mask & ANALOG_HATS_ALL)
sprintf(analog->name, "%s %d-hat", snprintf(analog->name, sizeof(analog->name), "%s %d-hat",
analog->name, hweight16(analog->mask & ANALOG_HATS_ALL)); analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
if (analog->mask & ANALOG_HAT_FCS) if (analog->mask & ANALOG_HAT_FCS)
strcat(analog->name, " FCS"); strlcat(analog->name, " FCS", sizeof(analog->name));
if (analog->mask & ANALOG_ANY_CHF) if (analog->mask & ANALOG_ANY_CHF)
strcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF"); strlcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF",
sizeof(analog->name));
strcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick"); strlcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick",
sizeof(analog->name));
} }
/* /*
...@@ -435,7 +437,8 @@ static int analog_init_device(struct analog_port *port, struct analog *analog, i ...@@ -435,7 +437,8 @@ static int analog_init_device(struct analog_port *port, struct analog *analog, i
int i, j, t, v, w, x, y, z; int i, j, t, v, w, x, y, z;
analog_name(analog); analog_name(analog);
sprintf(analog->phys, "%s/input%d", port->gameport->phys, index); snprintf(analog->phys, sizeof(analog->phys),
"%s/input%d", port->gameport->phys, index);
analog->buttons = (analog->mask & ANALOG_GAMEPAD) ? analog_pad_btn : analog_joy_btn; analog->buttons = (analog->mask & ANALOG_GAMEPAD) ? analog_pad_btn : analog_joy_btn;
analog->dev = input_dev = input_allocate_device(); analog->dev = input_dev = input_allocate_device();
......
...@@ -202,7 +202,8 @@ static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv) ...@@ -202,7 +202,8 @@ static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv)
goto fail3; goto fail3;
} }
sprintf(cobra->phys[i], "%s/input%d", gameport->phys, i); snprintf(cobra->phys[i], sizeof(cobra->phys[i]),
"%s/input%d", gameport->phys, i);
input_dev->name = "Creative Labs Blaster GamePad Cobra"; input_dev->name = "Creative Labs Blaster GamePad Cobra";
input_dev->phys = cobra->phys[i]; input_dev->phys = cobra->phys[i];
......
...@@ -620,7 +620,8 @@ static struct db9 __init *db9_probe(int parport, int mode) ...@@ -620,7 +620,8 @@ static struct db9 __init *db9_probe(int parport, int mode)
goto err_unreg_devs; goto err_unreg_devs;
} }
sprintf(db9->phys[i], "%s/input%d", db9->pd->port->name, i); snprintf(db9->phys[i], sizeof(db9->phys[i]),
"%s/input%d", db9->pd->port->name, i);
input_dev->name = db9_mode->name; input_dev->name = db9_mode->name;
input_dev->phys = db9->phys[i]; input_dev->phys = db9->phys[i];
......
...@@ -761,7 +761,8 @@ static struct gc __init *gc_probe(int parport, int *pads, int n_pads) ...@@ -761,7 +761,8 @@ static struct gc __init *gc_probe(int parport, int *pads, int n_pads)
if (!pads[i]) if (!pads[i])
continue; continue;
sprintf(gc->phys[i], "%s/input%d", gc->pd->port->name, i); snprintf(gc->phys[i], sizeof(gc->phys[i]),
"%s/input%d", gc->pd->port->name, i);
err = gc_setup_pad(gc, i, pads[i]); err = gc_setup_pad(gc, i, pads[i]);
if (err) if (err)
goto err_unreg_devs; goto err_unreg_devs;
......
...@@ -298,7 +298,7 @@ static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv) ...@@ -298,7 +298,7 @@ static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv)
gameport_set_poll_handler(gameport, gf2k_poll); gameport_set_poll_handler(gameport, gf2k_poll);
gameport_set_poll_interval(gameport, 20); gameport_set_poll_interval(gameport, 20);
sprintf(gf2k->phys, "%s/input0", gameport->phys); snprintf(gf2k->phys, sizeof(gf2k->phys), "%s/input0", gameport->phys);
gf2k->length = gf2k_lens[gf2k->id]; gf2k->length = gf2k_lens[gf2k->id];
......
...@@ -354,7 +354,8 @@ static int grip_connect(struct gameport *gameport, struct gameport_driver *drv) ...@@ -354,7 +354,8 @@ static int grip_connect(struct gameport *gameport, struct gameport_driver *drv)
goto fail3; goto fail3;
} }
sprintf(grip->phys[i], "%s/input%d", gameport->phys, i); snprintf(grip->phys[i], sizeof(grip->phys[i]),
"%s/input%d", gameport->phys, i);
input_dev->name = grip_name[grip->mode[i]]; input_dev->name = grip_name[grip->mode[i]];
input_dev->phys = grip->phys[i]; input_dev->phys = grip->phys[i];
......
...@@ -222,7 +222,7 @@ static int guillemot_connect(struct gameport *gameport, struct gameport_driver * ...@@ -222,7 +222,7 @@ static int guillemot_connect(struct gameport *gameport, struct gameport_driver *
gameport_set_poll_handler(gameport, guillemot_poll); gameport_set_poll_handler(gameport, guillemot_poll);
gameport_set_poll_interval(gameport, 20); gameport_set_poll_interval(gameport, 20);
sprintf(guillemot->phys, "%s/input0", gameport->phys); snprintf(guillemot->phys, sizeof(guillemot->phys), "%s/input0", gameport->phys);
guillemot->type = guillemot_type + i; guillemot->type = guillemot_type + i;
input_dev->name = guillemot_type[i].name; input_dev->name = guillemot_type[i].name;
......
...@@ -251,7 +251,7 @@ static int interact_connect(struct gameport *gameport, struct gameport_driver *d ...@@ -251,7 +251,7 @@ static int interact_connect(struct gameport *gameport, struct gameport_driver *d
gameport_set_poll_handler(gameport, interact_poll); gameport_set_poll_handler(gameport, interact_poll);
gameport_set_poll_interval(gameport, 20); gameport_set_poll_interval(gameport, 20);
sprintf(interact->phys, "%s/input0", gameport->phys); snprintf(interact->phys, sizeof(interact->phys), "%s/input0", gameport->phys);
interact->type = i; interact->type = i;
interact->length = interact_type[i].length; interact->length = interact_type[i].length;
......
...@@ -162,7 +162,7 @@ static int magellan_connect(struct serio *serio, struct serio_driver *drv) ...@@ -162,7 +162,7 @@ static int magellan_connect(struct serio *serio, struct serio_driver *drv)
goto fail; goto fail;
magellan->dev = input_dev; magellan->dev = input_dev;
sprintf(magellan->phys, "%s/input0", serio->phys); snprintf(magellan->phys, sizeof(magellan->phys), "%s/input0", serio->phys);
input_dev->name = "LogiCad3D Magellan / SpaceMouse"; input_dev->name = "LogiCad3D Magellan / SpaceMouse";
input_dev->phys = magellan->phys; input_dev->phys = magellan->phys;
......
...@@ -541,7 +541,7 @@ static void sw_print_packet(char *name, int length, unsigned char *buf, char bit ...@@ -541,7 +541,7 @@ static void sw_print_packet(char *name, int length, unsigned char *buf, char bit
* Unfortunately I don't know how to do this for the other SW types. * Unfortunately I don't know how to do this for the other SW types.
*/ */
static void sw_3dp_id(unsigned char *buf, char *comment) static void sw_3dp_id(unsigned char *buf, char *comment, size_t size)
{ {
int i; int i;
char pnp[8], rev[9]; char pnp[8], rev[9];
...@@ -554,7 +554,7 @@ static void sw_3dp_id(unsigned char *buf, char *comment) ...@@ -554,7 +554,7 @@ static void sw_3dp_id(unsigned char *buf, char *comment)
pnp[7] = rev[8] = 0; pnp[7] = rev[8] = 0;
sprintf(comment, " [PnP %d.%02d id %s rev %s]", snprintf(comment, size, " [PnP %d.%02d id %s rev %s]",
(int) ((sw_get_bits(buf, 8, 6, 1) << 6) | /* Two 6-bit values */ (int) ((sw_get_bits(buf, 8, 6, 1) << 6) | /* Two 6-bit values */
sw_get_bits(buf, 16, 6, 1)) / 100, sw_get_bits(buf, 16, 6, 1)) / 100,
(int) ((sw_get_bits(buf, 8, 6, 1) << 6) | (int) ((sw_get_bits(buf, 8, 6, 1) << 6) |
...@@ -703,7 +703,8 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv) ...@@ -703,7 +703,8 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
sw->length = 22; sw->length = 22;
case 64: case 64:
sw->type = SW_ID_3DP; sw->type = SW_ID_3DP;
if (j == 160) sw_3dp_id(idbuf, comment); if (j == 160)
sw_3dp_id(idbuf, comment, sizeof(comment));
break; break;
} }
} }
...@@ -733,8 +734,10 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv) ...@@ -733,8 +734,10 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
for (i = 0; i < sw->number; i++) { for (i = 0; i < sw->number; i++) {
int bits, code; int bits, code;
sprintf(sw->name, "Microsoft SideWinder %s", sw_name[sw->type]); snprintf(sw->name, sizeof(sw->name),
sprintf(sw->phys[i], "%s/input%d", gameport->phys, i); "Microsoft SideWinder %s", sw_name[sw->type]);
snprintf(sw->phys[i], sizeof(sw->phys[i]),
"%s/input%d", gameport->phys, i);
sw->dev[i] = input_dev = input_allocate_device(); sw->dev[i] = input_dev = input_allocate_device();
if (!input_dev) { if (!input_dev) {
......
...@@ -220,7 +220,7 @@ static int spaceball_connect(struct serio *serio, struct serio_driver *drv) ...@@ -220,7 +220,7 @@ static int spaceball_connect(struct serio *serio, struct serio_driver *drv)
goto fail; goto fail;
spaceball->dev = input_dev; spaceball->dev = input_dev;
sprintf(spaceball->phys, "%s/input0", serio->phys); snprintf(spaceball->phys, sizeof(spaceball->phys), "%s/input0", serio->phys);
input_dev->name = spaceball_names[id]; input_dev->name = spaceball_names[id];
input_dev->phys = spaceball->phys; input_dev->phys = spaceball->phys;
......
...@@ -177,7 +177,7 @@ static int spaceorb_connect(struct serio *serio, struct serio_driver *drv) ...@@ -177,7 +177,7 @@ static int spaceorb_connect(struct serio *serio, struct serio_driver *drv)
goto fail; goto fail;
spaceorb->dev = input_dev; spaceorb->dev = input_dev;
sprintf(spaceorb->phys, "%s/input0", serio->phys); snprintf(spaceorb->phys, sizeof(spaceorb->phys), "%s/input0", serio->phys);
input_dev->name = "SpaceTec SpaceOrb 360 / Avenger"; input_dev->name = "SpaceTec SpaceOrb 360 / Avenger";
input_dev->phys = spaceorb->phys; input_dev->phys = spaceorb->phys;
......
...@@ -148,7 +148,7 @@ static int stinger_connect(struct serio *serio, struct serio_driver *drv) ...@@ -148,7 +148,7 @@ static int stinger_connect(struct serio *serio, struct serio_driver *drv)
goto fail; goto fail;
stinger->dev = input_dev; stinger->dev = input_dev;
sprintf(stinger->phys, "%s/serio0", serio->phys); snprintf(stinger->phys, sizeof(stinger->phys), "%s/serio0", serio->phys);
input_dev->name = "Gravis Stinger"; input_dev->name = "Gravis Stinger";
input_dev->phys = stinger->phys; input_dev->phys = stinger->phys;
......
...@@ -199,7 +199,7 @@ static int twidjoy_connect(struct serio *serio, struct serio_driver *drv) ...@@ -199,7 +199,7 @@ static int twidjoy_connect(struct serio *serio, struct serio_driver *drv)
goto fail; goto fail;
twidjoy->dev = input_dev; twidjoy->dev = input_dev;
sprintf(twidjoy->phys, "%s/input0", serio->phys); snprintf(twidjoy->phys, sizeof(twidjoy->phys), "%s/input0", serio->phys);
input_dev->name = "Handykey Twiddler"; input_dev->name = "Handykey Twiddler";
input_dev->phys = twidjoy->phys; input_dev->phys = twidjoy->phys;
......
...@@ -154,7 +154,7 @@ static int warrior_connect(struct serio *serio, struct serio_driver *drv) ...@@ -154,7 +154,7 @@ static int warrior_connect(struct serio *serio, struct serio_driver *drv)
goto fail; goto fail;
warrior->dev = input_dev; warrior->dev = input_dev;
sprintf(warrior->phys, "%s/input0", serio->phys); snprintf(warrior->phys, sizeof(warrior->phys), "%s/input0", serio->phys);
input_dev->name = "Logitech WingMan Warrior"; input_dev->name = "Logitech WingMan Warrior";
input_dev->phys = warrior->phys; input_dev->phys = warrior->phys;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment