The Coverity checker found the following bug in the function
gunze_process_packet in drivers/input/touchscreen/gunze.c:
<-- snip -->
...
#define GUNZE_MAX_LENGTH 10
...
struct gunze {
...
unsigned char data[GUNZE_MAX_LENGTH];
...
};
...
static void gunze_process_packet(struct gunze* gunze, struct pt_regs *regs)
...
gunze->data[10] = 0;
...
<-- snip -->
The bug is obvious, but for a correct solution someone should know this
code better than I do.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Tuesday 22 March 2005 20:26, Adrian Bunk wrote:
> The Coverity checker found the following bug in the function
> gunze_process_packet in drivers/input/touchscreen/gunze.c:
>
>
> <-- snip -->
>
> ...
> #define GUNZE_MAX_LENGTH 10
> ...
> struct gunze {
> ...
> unsigned char data[GUNZE_MAX_LENGTH];
> ...
> };
> ...
> static void gunze_process_packet(struct gunze* gunze, struct pt_regs *regs)
> ...
> gunze->data[10] = 0;
> ...
>
> <-- snip -->
>
>
> The bug is obvious, but for a correct solution someone should know this
> code better than I do.
>
Ahh, it looks like it was just an attempt to null-terminate packet for
printk. The patch below should do the trick.
--
Dmitry
===================================================================
Input: gunze - fix out-of-bound array access reported by Adrian Bunk.
Signed-off-by: Dmitry Torokhov <[email protected]>
gunze.c | 3 +--
1 files changed, 1 insertion(+), 2 deletions(-)
Index: dtor/drivers/input/touchscreen/gunze.c
===================================================================
--- dtor.orig/drivers/input/touchscreen/gunze.c
+++ dtor/drivers/input/touchscreen/gunze.c
@@ -68,8 +68,7 @@ static void gunze_process_packet(struct
if (gunze->idx != GUNZE_MAX_LENGTH || gunze->data[5] != ',' ||
(gunze->data[0] != 'T' && gunze->data[0] != 'R')) {
- gunze->data[10] = 0;
- printk(KERN_WARNING "gunze.c: bad packet: >%s<\n", gunze->data);
+ printk(KERN_WARNING "gunze.c: bad packet: >%.*s<\n", GUNZE_MAX_LENGTH, gunze->data);
return;
}