-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Input: force feedback - potential integer wrap in input_ff_create()
The problem here is that max_effects can wrap on 32 bits systems. We'd allocate a smaller amount of data than sizeof(struct ff_device). The call to kcalloc() on the next line would fail but it would write the NULL return outside of the memory we just allocated causing data corruption. The call path is that uinput_setup_device() get ->ff_effects_max from the user and sets the value in the ->private_data struct. From there it is: -> uinput_ioctl_handler() -> uinput_create_device() -> input_ff_create(dev, udev->ff_effects_max); I've also changed ff_effects_max so it's an unsigned int instead of a signed int as a cleanup. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
- Loading branch information
Dan Carpenter
authored and
Dmitry Torokhov
committed
Oct 13, 2011
1 parent
341deef
commit 05be8b8
Showing
3 changed files
with
10 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters