summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Herrmann <dh.herrmann@googlemail.com>2012-07-30 07:48:31 +0200
committerDmitry Torokhov <dmitry.torokhov@gmail.com>2012-08-22 07:29:53 +0200
commitf40033acc2d14acecd1b27a79dc8a0ad437e619a (patch)
tree2be8d3a335f0d2a0b28d099bf41ffbba836246d5
parentInput: uinput - take event lock when fetching events from buffer (diff)
downloadlinux-f40033acc2d14acecd1b27a79dc8a0ad437e619a.tar.xz
linux-f40033acc2d14acecd1b27a79dc8a0ad437e619a.zip
Input: uinput - return -EINVAL when read buffer size is too small
Let's check whether the user-supplied buffer is actually big enough and return -EINVAL if it is not. This differs from current behavior, which caused 0 to be returned and actually does not make any sense, as broken application will simply repeat the read getting into endless loop. Note that we treat 0 as a special case, according to the standard: "Before any action described below is taken, and if nbyte is zero, the read() function may detect and return errors as described below. In the absence of errors, or if error detection is not performed, the read() function shall return zero and have no other results." Signed-off-by: David Herrmann <dh.herrmann@googlemail.com> Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
-rw-r--r--drivers/input/misc/uinput.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 1b4ee4a5c49c..e74ed9cc6371 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -476,6 +476,9 @@ static ssize_t uinput_read(struct file *file, char __user *buffer, size_t count,
struct input_event event;
int retval = 0;
+ if (count != 0 && count < input_event_size())
+ return -EINVAL;
+
if (udev->state != UIST_CREATED)
return -ENODEV;