Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 08ffce45 authored by Dmitry Torokhov's avatar Dmitry Torokhov
Browse files

Input: fix potential overflows in driver/input/mouse 



Change all sprintfs into snprintfs to make sure we won't stomp on
data adjacent to our buffers.

Noticed by Wouter Paesen <wouter@kangaroot.net>

Signed-off-by: default avatarDmitry Torokhov <dtor@mail.ru>
parent 4854c7b2

drivers/input/mouse/alps.c

+1 −1
Original line number Diff line number Diff line
@@ -470,7 +470,7 @@ int alps_init(struct psmouse *psmouse) 
		dev1->keybit[LONG(BTN_BACK)] |= BIT(BTN_BACK);

	}



	sprintf(priv->phys, "%s/input1", psmouse->ps2dev.serio->phys);

	snprintf(priv->phys, sizeof(priv->phys), "%s/input1", psmouse->ps2dev.serio->phys);

	dev2->phys = priv->phys;

	dev2->name = (priv->i->flags & ALPS_DUALPOINT) ? "DualPoint Stick" : "PS/2 Mouse";

	dev2->id.bustype = BUS_I8042;

drivers/input/mouse/psmouse-base.c

+3 −3
Original line number Diff line number Diff line
@@ -1057,7 +1057,7 @@ static int psmouse_switch_protocol(struct psmouse *psmouse, struct psmouse_proto 
	if (psmouse->resync_time && psmouse->poll(psmouse))

		psmouse->resync_time = 0;



	sprintf(psmouse->devname, "%s %s %s",

	snprintf(psmouse->devname, sizeof(psmouse->devname), "%s %s %s",

		 psmouse_protocol_by_type(psmouse->type)->name, psmouse->vendor, psmouse->name);



	input_dev->name = psmouse->devname;
@@ -1099,7 +1099,7 @@ static int psmouse_connect(struct serio *serio, struct serio_driver *drv) 
	ps2_init(&psmouse->ps2dev, serio);

	INIT_WORK(&psmouse->resync_work, psmouse_resync, psmouse);

	psmouse->dev = input_dev;

	sprintf(psmouse->phys, "%s/input0", serio->phys);

	snprintf(psmouse->phys, sizeof(psmouse->phys), "%s/input0", serio->phys);



	psmouse_set_state(psmouse, PSMOUSE_INITIALIZING);

drivers/input/mouse/sermouse.c

+1 −1
Original line number Diff line number Diff line
@@ -254,7 +254,7 @@ static int sermouse_connect(struct serio *serio, struct serio_driver *drv) 
		goto fail;



	sermouse->dev = input_dev;

	sprintf(sermouse->phys, "%s/input0", serio->phys);

	snprintf(sermouse->phys, sizeof(sermouse->phys), "%s/input0", serio->phys);

	sermouse->type = serio->id.proto;



	input_dev->name = sermouse_protocols[sermouse->type];

drivers/input/mouse/vsxxxaa.c

+13 −9
Original line number Diff line number Diff line
@@ -153,22 +153,25 @@ vsxxxaa_detection_done (struct vsxxxaa *mouse) 
{

	switch (mouse->type) {

		case 0x02:

			sprintf (mouse->name, "DEC VSXXX-AA/-GA mouse");

			strlcpy (mouse->name, "DEC VSXXX-AA/-GA mouse",

				 sizeof (mouse->name));

			break;



		case 0x04:

			sprintf (mouse->name, "DEC VSXXX-AB digitizer");

			strlcpy (mouse->name, "DEC VSXXX-AB digitizer",

				 sizeof (mouse->name));

			break;



		default:

			sprintf (mouse->name, "unknown DEC pointer device "

					"(type = 0x%02x)", mouse->type);

			snprintf (mouse->name, sizeof (mouse->name),

				  "unknown DEC pointer device (type = 0x%02x)",

				  mouse->type);

			break;

	}



	printk (KERN_INFO "Found %s version 0x%02x from country 0x%02x "

			"on port %s\n", mouse->name, mouse->version,

			mouse->country, mouse->phys);

	printk (KERN_INFO

		"Found %s version 0x%02x from country 0x%02x on port %s\n",

		mouse->name, mouse->version, mouse->country, mouse->phys);

}



/*
@@ -503,8 +506,9 @@ vsxxxaa_connect (struct serio *serio, struct serio_driver *drv) 


	mouse->dev = input_dev;

	mouse->serio = serio;

	sprintf (mouse->name, "DEC VSXXX-AA/-GA mouse or VSXXX-AB digitizer");

	sprintf (mouse->phys, "%s/input0", serio->phys);

	strlcat (mouse->name, "DEC VSXXX-AA/-GA mouse or VSXXX-AB digitizer",

		 sizeof (mouse->name));

	snprintf (mouse->phys, sizeof (mouse->phys), "%s/input0", serio->phys);



	input_dev->name = mouse->name;

	input_dev->phys = mouse->phys;