If an empty buf is received, lbuf is also empty. So lbuf is
accessed by index -1.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes")
Signed-off-by: Anastasia Belova <[email protected]>
---
drivers/hid/hid-lg4ff.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
index 5e6a0cef2a06..e3fcf1353fb3 100644
--- a/drivers/hid/hid-lg4ff.c
+++ b/drivers/hid/hid-lg4ff.c
@@ -872,6 +872,12 @@ static ssize_t lg4ff_alternate_modes_store(struct device *dev, struct device_att
return -ENOMEM;
i = strlen(lbuf);
+
+ if (i == 0) {
+ kfree(lbuf);
+ return -EINVAL;
+ }
+
if (lbuf[i-1] == '\n') {
if (i == 1) {
kfree(lbuf);
--
2.30.2
On Fri, 11 Nov 2022, Anastasia Belova wrote:
> If an empty buf is received, lbuf is also empty. So lbuf is
> accessed by index -1.
Good catch, thanks!
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes")
>
> Signed-off-by: Anastasia Belova <[email protected]>
I've put the Fixes: line into the SOB/metadata space, and applied. Thank
you,
--
Jiri Kosina
SUSE Labs