aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/input.h
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2011-10-13 00:05:53 -0400
committerDmitry Torokhov <dmitry.torokhov@gmail.com>2011-10-13 00:13:11 -0400
commit05be8b81aafd4f95106a91ff3fd8581fa984fad9 (patch)
treed34da61ab5fa18f5fb57b0342a1e3871aedb36bc /include/linux/input.h
parent341deefe8f4584b09564193cb46d8cf386f491a5 (diff)
Input: force feedback - potential integer wrap in input_ff_create()
The problem here is that max_effects can wrap on 32 bits systems. We'd allocate a smaller amount of data than sizeof(struct ff_device). The call to kcalloc() on the next line would fail but it would write the NULL return outside of the memory we just allocated causing data corruption. The call path is that uinput_setup_device() get ->ff_effects_max from the user and sets the value in the ->private_data struct. From there it is: -> uinput_ioctl_handler() -> uinput_create_device() -> input_ff_create(dev, udev->ff_effects_max); I've also changed ff_effects_max so it's an unsigned int instead of a signed int as a cleanup. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Diffstat (limited to 'include/linux/input.h')
-rw-r--r--include/linux/input.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/input.h b/include/linux/input.h
index 57add325e7a8..6d5eddb18c82 100644
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -1610,7 +1610,7 @@ struct ff_device {
1610 struct file *effect_owners[]; 1610 struct file *effect_owners[];
1611}; 1611};
1612 1612
1613int input_ff_create(struct input_dev *dev, int max_effects); 1613int input_ff_create(struct input_dev *dev, unsigned int max_effects);
1614void input_ff_destroy(struct input_dev *dev); 1614void input_ff_destroy(struct input_dev *dev);
1615 1615
1616int input_ff_event(struct input_dev *dev, unsigned int type, unsigned int code, int value); 1616int input_ff_event(struct input_dev *dev, unsigned int type, unsigned int code, int value);