LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Paul Stoffregen <paul@pjrc.com>,
Jiri Kosina <jkosina@suse.cz>
Subject: [patch 49/49] HID: fix incorrent length condition in hidraw_write()
Date: Tue, 11 Nov 2008 16:24:41 -0800 [thread overview]
Message-ID: <20081112002441.GX10989@kroah.com> (raw)
In-Reply-To: <20081112002215.GA10989@kroah.com>
[-- Attachment #1: hid-fix-incorrent-length-condition-in-hidraw_write.patch --]
[-- Type: text/plain, Size: 1021 bytes --]
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jiri Kosina <jkosina@suse.cz>
upstream commit 2b107d629dc0c35de606bb7b010b829cd247a93a
From: Jiri Kosina <jkosina@suse.cz>
The bound check on the buffer length
if (count > HID_MIN_BUFFER_SIZE)
is of course incorrent, the proper check is
if (count > HID_MAX_BUFFER_SIZE)
Fix it.
Reported-by: Jerry Ryle <jerry@mindtribe.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Paul Stoffregen <paul@pjrc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/hid/hidraw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file
if (!dev->hid_output_raw_report)
return -ENODEV;
- if (count > HID_MIN_BUFFER_SIZE) {
+ if (count > HID_MAX_BUFFER_SIZE) {
printk(KERN_WARNING "hidraw: pid %d passed too large report\n",
task_pid_nr(current));
return -EINVAL;
--
next prev parent reply other threads:[~2008-11-12 0:43 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20081112001401.926965113@mini.kroah.org>
2008-11-12 0:22 ` [patch 00/49] 2.6.27.5 stable review Greg KH
2008-11-12 0:22 ` [patch 01/49] ext3: wait on all pending commits in ext3_sync_fs Greg KH
2008-11-12 0:22 ` [patch 02/49] x86: add DMI quirk for AMI BIOS which corrupts address 0xc000 during resume Greg KH
2008-11-12 0:22 ` [patch 03/49] x86: reserve low 64K on AMI and Phoenix BIOS boxen Greg KH
2008-11-12 0:22 ` [patch 04/49] x86: add X86_RESERVE_LOW_64K Greg KH
2008-11-12 0:23 ` [patch 05/49] x86: fix CONFIG_X86_RESERVE_LOW_64K=y Greg KH
2008-11-12 0:23 ` [patch 06/49] x86: fix macro with bad_bios_dmi_table Greg KH
2008-11-12 0:23 ` [patch 07/49] cgroups: fix invalid cgrp->dentry before cgroup has been completely removed Greg KH
2008-11-12 0:23 ` [patch 08/49] hugetlb: pull gigantic page initialisation out of the default path Greg KH
2008-11-12 0:23 ` [patch 09/49] hugetlbfs: handle pages higher order than MAX_ORDER Greg KH
2008-11-12 0:23 ` [patch 10/49] cciss: fix regression firmware not displayed in procfs Greg KH
2008-11-12 0:23 ` [patch 11/49] cciss: fix sysfs broken symlink regression Greg KH
2008-11-12 0:23 ` [patch 12/49] cciss: new hardware support Greg KH
2008-11-12 0:23 ` [patch 13/49] md: linear: Fix a division by zero bug for very small arrays Greg KH
2008-11-12 0:23 ` [patch 14/49] md: fix bug in raid10 recovery Greg KH
2008-11-12 0:23 ` [patch 15/49] JFFS2: fix race condition in jffs2_lzo_compress() Greg KH
2008-11-12 0:23 ` [patch 16/49] JFFS2: Fix lack of locking in thread_should_wake() Greg KH
2008-11-12 0:23 ` [patch 17/49] ARM: xsc3: fix xsc3_l2_inv_range Greg KH
2008-11-12 0:23 ` [patch 18/49] MTD: Fix cfi_send_gen_cmd handling of x16 devices in x8 mode (v4) Greg KH
2008-11-12 0:23 ` [patch 19/49] x86: dont use tsc_khz to calculate lpj if notsc is passed Greg KH
2008-11-12 0:23 ` [patch 20/49] net: unix: fix inflight counting bug in garbage collector Greg KH
2008-11-12 0:23 ` [patch 21/49] r8169: get ethtool settings through the generic mii helper Greg KH
2008-11-12 0:23 ` [patch 22/49] r8169: fix RxMissed register access Greg KH
2008-11-12 0:23 ` [patch 23/49] r8169: wake up the PHY of the 8168 Greg KH
2008-11-12 0:23 ` [patch 24/49] I/OAT: fix channel resources free for not allocated channels Greg KH
2008-11-12 0:23 ` [patch 25/49] I/OAT: fix dma_pin_iovec_pages() error handling Greg KH
2008-11-12 0:23 ` [patch 26/49] I/OAT: fix async_tx.callback checking Greg KH
2008-11-12 0:23 ` [patch 27/49] dca: fixup initialization dependency Greg KH
2008-11-12 0:23 ` [patch 28/49] iwlwifi: allow consecutive scans in unassociated state Greg KH
2008-11-12 0:23 ` [patch 29/49] iwlwifi: allow association on radar channel in power save Greg KH
2008-11-12 0:23 ` [patch 30/49] iwlwifi: remove HT flags from RXON when not in HT anymore Greg KH
2008-11-12 0:23 ` [patch 31/49] iwlwifi: dont fail if scan is issued too early Greg KH
2008-11-12 0:24 ` [patch 32/49] iwlwifi: use correct DMA_MASK Greg KH
2008-11-12 0:24 ` [patch 33/49] iwlwifi: fix suspend to RAM in iwlwifi Greg KH
2008-11-12 0:24 ` [patch 34/49] iwlwifi: generic init calibrations framework Greg KH
2008-11-12 0:24 ` [patch 35/49] zd1211rw: Add 2 device IDs Greg KH
2008-11-12 0:24 ` [patch 36/49] iwl3945: fix deadlock on suspend Greg KH
2008-11-12 0:24 ` [patch 37/49] iwl3945: do not send scan command if channel count zero Greg KH
2008-11-12 0:24 ` [patch 38/49] cpqarry: fix return value of cpqarray_init() Greg KH
2008-11-12 0:24 ` [patch 39/49] ACPI: dock: avoid check _STA method Greg KH
2008-11-12 0:24 ` [patch 40/49] ARM: 5300/1: fixup spitz reset during boot Greg KH
2008-11-12 0:24 ` [patch 41/49] KEYS: Make request key instantiate the per-user keyrings Greg KH
2008-11-12 0:24 ` [patch 42/49] libata: fix last_reset timestamp handling Greg KH
2008-11-12 0:24 ` [patch 43/49] ALSA: hda: make a STAC_DELL_EQ option Greg KH
2008-11-12 0:24 ` [patch 44/49] Fix __pfn_to_page(pfn) for CONFIG_DISCONTIGMEM=y Greg KH
2008-11-12 0:24 ` [patch 45/49] mmc: increase SD write timeout for crappy cards Greg KH
2008-11-12 0:24 ` [patch 46/49] hfsplus: fix Buffer overflow with a corrupted image (CVE-2008-4933) Greg KH
2008-11-12 0:24 ` [patch 47/49] hfsplus: check read_mapping_page() return value (CVE-2008-4934) Greg KH
2008-11-12 0:24 ` [patch 48/49] hfs: fix namelength memory corruption (CVE-2008-5025) Greg KH
2008-11-12 0:24 ` Greg KH [this message]
2008-11-12 0:44 ` [patch 00/49] 2.6.27.5 stable review Gabriel C
2008-11-12 1:07 ` Greg KH
2008-11-12 0:54 ` Willy Tarreau
2008-11-12 14:08 ` Frans Pop
2008-11-12 17:03 ` [stable] " Greg KH
2008-11-13 22:07 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081112002441.GX10989@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jkosina@suse.cz \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=paul@pjrc.com \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).