Input: fix potential overflows in driver/input/joystick
authorDmitry Torokhov <dtor_core@ameritech.net>
Mon, 26 Jun 2006 05:45:48 +0000 (01:45 -0400)
committerDmitry Torokhov <dtor_core@ameritech.net>
Mon, 26 Jun 2006 05:45:48 +0000 (01:45 -0400)
Change all sprintfs into snprintfs to make sure we won't stomp on
data adjacent to our buffers.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
16 files changed:
drivers/input/joystick/a3d.c
drivers/input/joystick/analog.c
drivers/input/joystick/cobra.c
drivers/input/joystick/db9.c
drivers/input/joystick/gamecon.c
drivers/input/joystick/gf2k.c
drivers/input/joystick/grip.c
drivers/input/joystick/guillemot.c
drivers/input/joystick/interact.c
drivers/input/joystick/magellan.c
drivers/input/joystick/sidewinder.c
drivers/input/joystick/spaceball.c
drivers/input/joystick/spaceorb.c
drivers/input/joystick/stinger.c
drivers/input/joystick/twidjoy.c
drivers/input/joystick/warrior.c

index 4612d13ea756640f1767f86532ca03a30d55203e..b11a4bbc84c46df95d0324937d225bc150d755fe 100644 (file)
@@ -306,7 +306,7 @@ static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv)
        gameport_set_poll_handler(gameport, a3d_poll);
        gameport_set_poll_interval(gameport, 20);
 
-       sprintf(a3d->phys, "%s/input0", gameport->phys);
+       snprintf(a3d->phys, sizeof(a3d->phys), "%s/input0", gameport->phys);
 
        input_dev->name = a3d_names[a3d->mode];
        input_dev->phys = a3d->phys;
index 3121961e3e7c8876153fc70a41448f88d8468913..01dc0b195d599277a5cba6bd340f2c7259765ffe 100644 (file)
@@ -408,21 +408,23 @@ static void analog_calibrate_timer(struct analog_port *port)
 
 static void analog_name(struct analog *analog)
 {
-       sprintf(analog->name, "Analog %d-axis %d-button",
-               hweight8(analog->mask & ANALOG_AXES_STD),
-               hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
-               hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
+       snprintf(analog->name, sizeof(analog->name), "Analog %d-axis %d-button",
+                hweight8(analog->mask & ANALOG_AXES_STD),
+                hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
+                hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
 
        if (analog->mask & ANALOG_HATS_ALL)
-               sprintf(analog->name, "%s %d-hat",
-                       analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
+               snprintf(analog->name, sizeof(analog->name), "%s %d-hat",
+                        analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
 
        if (analog->mask & ANALOG_HAT_FCS)
-                       strcat(analog->name, " FCS");
+               strlcat(analog->name, " FCS", sizeof(analog->name));
        if (analog->mask & ANALOG_ANY_CHF)
-                       strcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF");
+               strlcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF",
+                       sizeof(analog->name));
 
-       strcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick");
+       strlcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick",
+               sizeof(analog->name));
 }
 
 /*
@@ -435,7 +437,8 @@ static int analog_init_device(struct analog_port *port, struct analog *analog, i
        int i, j, t, v, w, x, y, z;
 
        analog_name(analog);
-       sprintf(analog->phys, "%s/input%d", port->gameport->phys, index);
+       snprintf(analog->phys, sizeof(analog->phys),
+                "%s/input%d", port->gameport->phys, index);
        analog->buttons = (analog->mask & ANALOG_GAMEPAD) ? analog_pad_btn : analog_joy_btn;
 
        analog->dev = input_dev = input_allocate_device();
index 1909f7ef340c7b939259e8b398f6dfec3b80fc2d..d5e42eb88a207a610d7addab264a9c9fe58659fb 100644 (file)
@@ -202,7 +202,8 @@ static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv)
                        goto fail3;
                }
 
-               sprintf(cobra->phys[i], "%s/input%d", gameport->phys, i);
+               snprintf(cobra->phys[i], sizeof(cobra->phys[i]),
+                        "%s/input%d", gameport->phys, i);
 
                input_dev->name = "Creative Labs Blaster GamePad Cobra";
                input_dev->phys = cobra->phys[i];
index e61894685cb1b29f3ef884a9e8ce9d5e780d9c56..6f31f054d1bb9b144f5edd05c925dbac236795b9 100644 (file)
@@ -620,7 +620,8 @@ static struct db9 __init *db9_probe(int parport, int mode)
                        goto err_unreg_devs;
                }
 
-               sprintf(db9->phys[i], "%s/input%d", db9->pd->port->name, i);
+               snprintf(db9->phys[i], sizeof(db9->phys[i]),
+                        "%s/input%d", db9->pd->port->name, i);
 
                input_dev->name = db9_mode->name;
                input_dev->phys = db9->phys[i];
index ecbdb6b9bbd6dd64323a929a98a5b95d6d97dc52..fe12aa37393d9560c080f823182cd21b93339f8b 100644 (file)
@@ -761,7 +761,8 @@ static struct gc __init *gc_probe(int parport, int *pads, int n_pads)
                if (!pads[i])
                        continue;
 
-               sprintf(gc->phys[i], "%s/input%d", gc->pd->port->name, i);
+               snprintf(gc->phys[i], sizeof(gc->phys[i]),
+                        "%s/input%d", gc->pd->port->name, i);
                err = gc_setup_pad(gc, i, pads[i]);
                if (err)
                        goto err_unreg_devs;
index 8a3ad455eb385c2dc79285fe5db31f48c7126bdf..e4a699f6ec87603d9f9e840f3353419cded537a4 100644 (file)
@@ -298,7 +298,7 @@ static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv)
        gameport_set_poll_handler(gameport, gf2k_poll);
        gameport_set_poll_interval(gameport, 20);
 
-       sprintf(gf2k->phys, "%s/input0", gameport->phys);
+       snprintf(gf2k->phys, sizeof(gf2k->phys), "%s/input0", gameport->phys);
 
        gf2k->length = gf2k_lens[gf2k->id];
 
index 20cb98ac2d794d20de2a385555d337e97116bd1d..17a90c436de85a35398ea2e1334c180b812954aa 100644 (file)
@@ -354,7 +354,8 @@ static int grip_connect(struct gameport *gameport, struct gameport_driver *drv)
                        goto fail3;
                }
 
-               sprintf(grip->phys[i], "%s/input%d", gameport->phys, i);
+               snprintf(grip->phys[i], sizeof(grip->phys[i]),
+                        "%s/input%d", gameport->phys, i);
 
                input_dev->name = grip_name[grip->mode[i]];
                input_dev->phys = grip->phys[i];
index 6e2c721c26bae3229b9a0a1a87a15f547a416dec..840ed9b512b26b5695e530545ba585741b1e9555 100644 (file)
@@ -222,7 +222,7 @@ static int guillemot_connect(struct gameport *gameport, struct gameport_driver *
        gameport_set_poll_handler(gameport, guillemot_poll);
        gameport_set_poll_interval(gameport, 20);
 
-       sprintf(guillemot->phys, "%s/input0", gameport->phys);
+       snprintf(guillemot->phys, sizeof(guillemot->phys), "%s/input0", gameport->phys);
        guillemot->type = guillemot_type + i;
 
        input_dev->name = guillemot_type[i].name;
index c4ed01758226ae34b07f4210461245c6a1e69c1f..bbfeb9c59b874c763158a1e458ce35e8a4844ebc 100644 (file)
@@ -251,7 +251,7 @@ static int interact_connect(struct gameport *gameport, struct gameport_driver *d
        gameport_set_poll_handler(gameport, interact_poll);
        gameport_set_poll_interval(gameport, 20);
 
-       sprintf(interact->phys, "%s/input0", gameport->phys);
+       snprintf(interact->phys, sizeof(interact->phys), "%s/input0", gameport->phys);
 
        interact->type = i;
        interact->length = interact_type[i].length;
index ca3cc2319d6ae393e11dc1db5fd2645f16906e2e..168b1061a03bd35fd3399658d841c814407bb1e1 100644 (file)
@@ -162,7 +162,7 @@ static int magellan_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        magellan->dev = input_dev;
-       sprintf(magellan->phys, "%s/input0", serio->phys);
+       snprintf(magellan->phys, sizeof(magellan->phys), "%s/input0", serio->phys);
 
        input_dev->name = "LogiCad3D Magellan / SpaceMouse";
        input_dev->phys = magellan->phys;
index 95c0de7964a0803f788764a7426cb66b75f79867..e58b22c018e4af75d908b1b36e1d7de10c460e0f 100644 (file)
@@ -541,7 +541,7 @@ static void sw_print_packet(char *name, int length, unsigned char *buf, char bit
  * Unfortunately I don't know how to do this for the other SW types.
  */
 
-static void sw_3dp_id(unsigned char *buf, char *comment)
+static void sw_3dp_id(unsigned char *buf, char *comment, size_t size)
 {
        int i;
        char pnp[8], rev[9];
@@ -554,7 +554,7 @@ static void sw_3dp_id(unsigned char *buf, char *comment)
 
        pnp[7] = rev[8] = 0;
 
-       sprintf(comment, " [PnP %d.%02d id %s rev %s]",
+       snprintf(comment, size, " [PnP %d.%02d id %s rev %s]",
                (int) ((sw_get_bits(buf, 8, 6, 1) << 6) |               /* Two 6-bit values */
                        sw_get_bits(buf, 16, 6, 1)) / 100,
                (int) ((sw_get_bits(buf, 8, 6, 1) << 6) |
@@ -695,7 +695,7 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
                                                sw->type = SW_ID_FFP;
                                                sprintf(comment, " [AC %s]", sw_get_bits(idbuf,38,1,3) ? "off" : "on");
                                        } else
-                                       sw->type = SW_ID_PP;
+                                               sw->type = SW_ID_PP;
                                        break;
                                case 66:
                                        sw->bits = 3;
@@ -703,7 +703,8 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
                                        sw->length = 22;
                                case 64:
                                        sw->type = SW_ID_3DP;
-                                       if (j == 160) sw_3dp_id(idbuf, comment);
+                                       if (j == 160)
+                                               sw_3dp_id(idbuf, comment, sizeof(comment));
                                        break;
                        }
                }
@@ -733,8 +734,10 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
        for (i = 0; i < sw->number; i++) {
                int bits, code;
 
-               sprintf(sw->name, "Microsoft SideWinder %s", sw_name[sw->type]);
-               sprintf(sw->phys[i], "%s/input%d", gameport->phys, i);
+               snprintf(sw->name, sizeof(sw->name),
+                        "Microsoft SideWinder %s", sw_name[sw->type]);
+               snprintf(sw->phys[i], sizeof(sw->phys[i]),
+                        "%s/input%d", gameport->phys, i);
 
                sw->dev[i] = input_dev = input_allocate_device();
                if (!input_dev) {
index d6f8db8ec3fd34aacc743156d5a9ae91c2170af4..75eb5ca59992aa21afc6244fe39c264887cbdff0 100644 (file)
@@ -220,7 +220,7 @@ static int spaceball_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        spaceball->dev = input_dev;
-       sprintf(spaceball->phys, "%s/input0", serio->phys);
+       snprintf(spaceball->phys, sizeof(spaceball->phys), "%s/input0", serio->phys);
 
        input_dev->name = spaceball_names[id];
        input_dev->phys = spaceball->phys;
index 7c123a01c58e529198e0a1991e7d1c45e2a030c5..3e2782e79834cc24397eb93e8ad3223b1a4afef0 100644 (file)
@@ -177,7 +177,7 @@ static int spaceorb_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        spaceorb->dev = input_dev;
-       sprintf(spaceorb->phys, "%s/input0", serio->phys);
+       snprintf(spaceorb->phys, sizeof(spaceorb->phys), "%s/input0", serio->phys);
 
        input_dev->name = "SpaceTec SpaceOrb 360 / Avenger";
        input_dev->phys = spaceorb->phys;
index 0a9ed1d306367c3a7f2c174b38879776b2c0ceed..011ec4858e15553f60df86057eb42699f20a80b3 100644 (file)
@@ -148,7 +148,7 @@ static int stinger_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        stinger->dev = input_dev;
-       sprintf(stinger->phys, "%s/serio0", serio->phys);
+       snprintf(stinger->phys, sizeof(stinger->phys), "%s/serio0", serio->phys);
 
        input_dev->name = "Gravis Stinger";
        input_dev->phys = stinger->phys;
index 7f8b0093c5bc5e16857338950706ad735a3b187c..076f237d965471eab6c76a7f9599147daa202e14 100644 (file)
@@ -199,7 +199,7 @@ static int twidjoy_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        twidjoy->dev = input_dev;
-       sprintf(twidjoy->phys, "%s/input0", serio->phys);
+       snprintf(twidjoy->phys, sizeof(twidjoy->phys), "%s/input0", serio->phys);
 
        input_dev->name = "Handykey Twiddler";
        input_dev->phys = twidjoy->phys;
index 1849b176cf1871263171be8d5311cb8470f8784e..f9c1a03214eb6ddd04ac2cdf1e5bd5d97cccb94a 100644 (file)
@@ -154,7 +154,7 @@ static int warrior_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        warrior->dev = input_dev;
-       sprintf(warrior->phys, "%s/input0", serio->phys);
+       snprintf(warrior->phys, sizeof(warrior->phys), "%s/input0", serio->phys);
 
        input_dev->name = "Logitech WingMan Warrior";
        input_dev->phys = warrior->phys;