Input: evdev - fix overflow in compat_ioctl

When exporting input device bitmaps via compat_ioctl on BIG_ENDIAN platforms evdev calculates data size incorrectly. This causes buffer overflow if user specifies buffer smaller than maxlen. Signed-off-by: Kenichi Nagai <kenichi3.nagai@toshiba.co.jp> Signed-off-by: Dmitry Torokhov <dtor@mail.ru> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Input: evdev - fix overflow in compat_ioctl
When exporting input device bitmaps via compat_ioctl on BIG_ENDIAN platforms evdev calculates data size incorrectly. This causes buffer overflow if user specifies buffer smaller than maxlen. Signed-off-by: Kenichi Nagai <kenichi3.nagai@toshiba.co.jp> Signed-off-by: Dmitry Torokhov <dtor@mail.ru> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
bf61f8d3 · Kenichi Nagai · Linus Torvalds · 435b71be · bf61f8d3
Commit bf61f8d3 authored May 11, 2007 by Kenichi Nagai Committed by Linus Torvalds May 11, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/input/evdev.c drivers/input/evdev.c +1 -1

No files found.
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -336,7 +336,7 @@ static int bits_to_user(unsigned long *bits, unsigned int maxbit,

 	if (compat) {
 		len = NBITS_COMPAT(maxbit) * sizeof(compat_long_t);
-		if (len < maxlen)
+		if (len > maxlen)
 			len = maxlen;

 		for (i = 0; i < len / sizeof(compat_long_t); i++)