diff options
| author | Daniel Rosenberg <drosen@google.com> | 2018-03-12 15:57:54 -0700 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2018-11-29 12:28:04 +0100 |
| commit | 3d29fcecea03b179e8a07cd7f025402aa344f12e (patch) | |
| tree | 36ccdffa651e7f78e63df03fcac558aeb860e3ff | |
| parent | 805b4489849977489e87c649ba410adf3e457f59 (diff) | |
ANDROID: HID: debug: check length in hid_debug_events_read() before copy_to_user()
If our length is greater than the size of the buffer, we
overflow the buffer
Change-Id: I113a1955a2bac83c83084d5cd28d886175673219
Bug: 71361580
Signed-off-by: Daniel Rosenberg <drosen@google.com>
| -rw-r--r-- | drivers/hid/hid-debug.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c index 941ab3c28..a20025d8c 100644 --- a/drivers/hid/hid-debug.c +++ b/drivers/hid/hid-debug.c @@ -1063,6 +1063,8 @@ copy_rest: goto out; if (list->tail > list->head) { len = list->tail - list->head; + if (len > count) + len = count; if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { ret = -EFAULT; @@ -1072,6 +1074,8 @@ copy_rest: list->head += len; } else { len = HID_DEBUG_BUFSIZE - list->head; + if (len > count) + len = count; if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { ret = -EFAULT; @@ -1079,7 +1083,9 @@ copy_rest: } list->head = 0; ret += len; - goto copy_rest; + count -= len; + if (count > 0) + goto copy_rest; } } |