diff options
author | Jiri Kosina <jkosina@suse.cz> | 2008-09-17 19:41:58 +0200 |
---|---|---|
committer | Jiri Kosina <jkosina@suse.cz> | 2008-10-14 23:51:00 +0200 |
commit | 2b107d629dc0c35de606bb7b010b829cd247a93a (patch) | |
tree | c287d509c0a16a2c7d30b00d413a8a3b81e5188a | |
parent | HID: fix tty<->hid deadlock (diff) | |
download | linux-2b107d629dc0c35de606bb7b010b829cd247a93a.tar.xz linux-2b107d629dc0c35de606bb7b010b829cd247a93a.zip |
HID: fix incorrent length condition in hidraw_write()
The bound check on the buffer length
if (count > HID_MIN_BUFFER_SIZE)
is of course incorrent, the proper check is
if (count > HID_MAX_BUFFER_SIZE)
Fix it.
Reported-by: Jerry Ryle <jerry@mindtribe.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-rw-r--r-- | drivers/hid/hidraw.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c index 4be240e74d4f..497e0d1dd3c3 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t if (!dev->hid_output_raw_report) return -ENODEV; - if (count > HID_MIN_BUFFER_SIZE) { + if (count > HID_MAX_BUFFER_SIZE) { printk(KERN_WARNING "hidraw: pid %d passed too large report\n", task_pid_nr(current)); return -EINVAL; |