Commit e3ce0787 authored by Dan Carpenter's avatar Dan Carpenter Committed by Luis Henriques

HID: roccat: potential out of bounds in pyra_sysfs_write_settings()

commit 606185b2 upstream.

This is a static checker fix.  We write some binary settings to the
sysfs file.  One of the settings is the "->startup_profile".  There
isn't any checking to make sure it fits into the
pyra->profile_settings[] array in the profile_activated() function.

I added a check to pyra_sysfs_write_settings() in both places because
I wasn't positive that the other callers were correct.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 90f577a1
...@@ -35,6 +35,8 @@ static struct class *pyra_class; ...@@ -35,6 +35,8 @@ static struct class *pyra_class;
static void profile_activated(struct pyra_device *pyra, static void profile_activated(struct pyra_device *pyra,
unsigned int new_profile) unsigned int new_profile)
{ {
if (new_profile >= ARRAY_SIZE(pyra->profile_settings))
return;
pyra->actual_profile = new_profile; pyra->actual_profile = new_profile;
pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi; pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi;
} }
...@@ -257,9 +259,11 @@ static ssize_t pyra_sysfs_write_settings(struct file *fp, ...@@ -257,9 +259,11 @@ static ssize_t pyra_sysfs_write_settings(struct file *fp,
if (off != 0 || count != PYRA_SIZE_SETTINGS) if (off != 0 || count != PYRA_SIZE_SETTINGS)
return -EINVAL; return -EINVAL;
mutex_lock(&pyra->pyra_lock);
settings = (struct pyra_settings const *)buf; settings = (struct pyra_settings const *)buf;
if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings))
return -EINVAL;
mutex_lock(&pyra->pyra_lock);
retval = pyra_set_settings(usb_dev, settings); retval = pyra_set_settings(usb_dev, settings);
if (retval) { if (retval) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment