diff options
| author | Miod Vallat <miod@cvs.openbsd.org> | 2009-06-02 21:43:42 +0000 |
|---|---|---|
| committer | Miod Vallat <miod@cvs.openbsd.org> | 2009-06-02 21:43:42 +0000 |
| commit | 3da448405a46d99e49b5d8caf8207d651e13cca4 (patch) | |
| tree | 4f20b129dc0f966031f3d94d9f2de4b9ae350d6e /sys | |
| parent | 1906e55f24c21258f2be91468f091c51c45b3f85 (diff) | |
Avoid a buf oflow in uhidev_set_report_async() if we have to prepend the
report id and the data to report is too long (this should probably
use dynamic allocation for large reports).
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/dev/usb/uhidev.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/dev/usb/uhidev.c b/sys/dev/usb/uhidev.c index fea976ee65a..9d790043072 100644 --- a/sys/dev/usb/uhidev.c +++ b/sys/dev/usb/uhidev.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uhidev.c,v 1.33 2008/06/26 05:42:18 ray Exp $ */ +/* $OpenBSD: uhidev.c,v 1.34 2009/06/02 21:43:41 miod Exp $ */ /* $NetBSD: uhidev.c,v 1.14 2003/03/11 16:44:00 augustss Exp $ */ /* @@ -613,6 +613,13 @@ uhidev_set_report_async(struct uhidev *scd, int type, void *data, int len) char buf[100]; if (scd->sc_report_id) { buf[0] = scd->sc_report_id; + if ((uint)len > sizeof(buf) - 1) { +#ifdef DIAGNOSTIC + printf("%s: report length too large (%d)\n", + scd->sc_dev.dv_xname, len); +#endif + return; + } memcpy(buf+1, data, len); len++; data = buf; |