HID: fix incorrent length condition in hidraw_write()
authorJiri Kosina <jkosina@suse.cz>
Wed, 17 Sep 2008 17:41:58 +0000 (19:41 +0200)
committerJiri Kosina <jkosina@suse.cz>
Tue, 14 Oct 2008 21:51:00 +0000 (23:51 +0200)
The bound check on the buffer length

if (count > HID_MIN_BUFFER_SIZE)

is of course incorrent, the proper check is

if (count > HID_MAX_BUFFER_SIZE)

Fix it.

Reported-by: Jerry Ryle <jerry@mindtribe.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
drivers/hid/hidraw.c

index 4be240e74d4f96c9d41466f4d06737498efd3ac9..497e0d1dd3c374c7f65129a487f11bb4c807364a 100644 (file)
@@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t
        if (!dev->hid_output_raw_report)
                return -ENODEV;
 
-       if (count > HID_MIN_BUFFER_SIZE) {
+       if (count > HID_MAX_BUFFER_SIZE) {
                printk(KERN_WARNING "hidraw: pid %d passed too large report\n",
                                task_pid_nr(current));
                return -EINVAL;