From 10ca4c0a622a942e55dc8a6d57ebd441089c9e38 Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov Date: Mon, 26 Jun 2006 01:45:48 -0400 Subject: [PATCH] Input: fix potential overflows in driver/input/joystick Change all sprintfs into snprintfs to make sure we won't stomp on data adjacent to our buffers. Signed-off-by: Dmitry Torokhov --- drivers/input/joystick/a3d.c | 2 +- drivers/input/joystick/analog.c | 23 +++++++++++++---------- drivers/input/joystick/cobra.c | 3 ++- drivers/input/joystick/db9.c | 3 ++- drivers/input/joystick/gamecon.c | 3 ++- drivers/input/joystick/gf2k.c | 2 +- drivers/input/joystick/grip.c | 3 ++- drivers/input/joystick/guillemot.c | 2 +- drivers/input/joystick/interact.c | 2 +- drivers/input/joystick/magellan.c | 2 +- drivers/input/joystick/sidewinder.c | 15 +++++++++------ drivers/input/joystick/spaceball.c | 2 +- drivers/input/joystick/spaceorb.c | 2 +- drivers/input/joystick/stinger.c | 2 +- drivers/input/joystick/twidjoy.c | 2 +- drivers/input/joystick/warrior.c | 2 +- 16 files changed, 40 insertions(+), 30 deletions(-) diff --git a/drivers/input/joystick/a3d.c b/drivers/input/joystick/a3d.c index 4612d13ea756..b11a4bbc84c4 100644 --- a/drivers/input/joystick/a3d.c +++ b/drivers/input/joystick/a3d.c @@ -306,7 +306,7 @@ static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv) gameport_set_poll_handler(gameport, a3d_poll); gameport_set_poll_interval(gameport, 20); - sprintf(a3d->phys, "%s/input0", gameport->phys); + snprintf(a3d->phys, sizeof(a3d->phys), "%s/input0", gameport->phys); input_dev->name = a3d_names[a3d->mode]; input_dev->phys = a3d->phys; diff --git a/drivers/input/joystick/analog.c b/drivers/input/joystick/analog.c index 3121961e3e7c..01dc0b195d59 100644 --- a/drivers/input/joystick/analog.c +++ b/drivers/input/joystick/analog.c @@ -408,21 +408,23 @@ static void analog_calibrate_timer(struct analog_port *port) static void analog_name(struct analog *analog) { - sprintf(analog->name, "Analog %d-axis %d-button", - hweight8(analog->mask & ANALOG_AXES_STD), - hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 + - hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4); + snprintf(analog->name, sizeof(analog->name), "Analog %d-axis %d-button", + hweight8(analog->mask & ANALOG_AXES_STD), + hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 + + hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4); if (analog->mask & ANALOG_HATS_ALL) - sprintf(analog->name, "%s %d-hat", - analog->name, hweight16(analog->mask & ANALOG_HATS_ALL)); + snprintf(analog->name, sizeof(analog->name), "%s %d-hat", + analog->name, hweight16(analog->mask & ANALOG_HATS_ALL)); if (analog->mask & ANALOG_HAT_FCS) - strcat(analog->name, " FCS"); + strlcat(analog->name, " FCS", sizeof(analog->name)); if (analog->mask & ANALOG_ANY_CHF) - strcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF"); + strlcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF", + sizeof(analog->name)); - strcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick"); + strlcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick", + sizeof(analog->name)); } /* @@ -435,7 +437,8 @@ static int analog_init_device(struct analog_port *port, struct analog *analog, i int i, j, t, v, w, x, y, z; analog_name(analog); - sprintf(analog->phys, "%s/input%d", port->gameport->phys, index); + snprintf(analog->phys, sizeof(analog->phys), + "%s/input%d", port->gameport->phys, index); analog->buttons = (analog->mask & ANALOG_GAMEPAD) ? analog_pad_btn : analog_joy_btn; analog->dev = input_dev = input_allocate_device(); diff --git a/drivers/input/joystick/cobra.c b/drivers/input/joystick/cobra.c index 1909f7ef340c..d5e42eb88a20 100644 --- a/drivers/input/joystick/cobra.c +++ b/drivers/input/joystick/cobra.c @@ -202,7 +202,8 @@ static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv) goto fail3; } - sprintf(cobra->phys[i], "%s/input%d", gameport->phys, i); + snprintf(cobra->phys[i], sizeof(cobra->phys[i]), + "%s/input%d", gameport->phys, i); input_dev->name = "Creative Labs Blaster GamePad Cobra"; input_dev->phys = cobra->phys[i]; diff --git a/drivers/input/joystick/db9.c b/drivers/input/joystick/db9.c index e61894685cb1..6f31f054d1bb 100644 --- a/drivers/input/joystick/db9.c +++ b/drivers/input/joystick/db9.c @@ -620,7 +620,8 @@ static struct db9 __init *db9_probe(int parport, int mode) goto err_unreg_devs; } - sprintf(db9->phys[i], "%s/input%d", db9->pd->port->name, i); + snprintf(db9->phys[i], sizeof(db9->phys[i]), + "%s/input%d", db9->pd->port->name, i); input_dev->name = db9_mode->name; input_dev->phys = db9->phys[i]; diff --git a/drivers/input/joystick/gamecon.c b/drivers/input/joystick/gamecon.c index ecbdb6b9bbd6..fe12aa37393d 100644 --- a/drivers/input/joystick/gamecon.c +++ b/drivers/input/joystick/gamecon.c @@ -761,7 +761,8 @@ static struct gc __init *gc_probe(int parport, int *pads, int n_pads) if (!pads[i]) continue; - sprintf(gc->phys[i], "%s/input%d", gc->pd->port->name, i); + snprintf(gc->phys[i], sizeof(gc->phys[i]), + "%s/input%d", gc->pd->port->name, i); err = gc_setup_pad(gc, i, pads[i]); if (err) goto err_unreg_devs; diff --git a/drivers/input/joystick/gf2k.c b/drivers/input/joystick/gf2k.c index 8a3ad455eb38..e4a699f6ec87 100644 --- a/drivers/input/joystick/gf2k.c +++ b/drivers/input/joystick/gf2k.c @@ -298,7 +298,7 @@ static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv) gameport_set_poll_handler(gameport, gf2k_poll); gameport_set_poll_interval(gameport, 20); - sprintf(gf2k->phys, "%s/input0", gameport->phys); + snprintf(gf2k->phys, sizeof(gf2k->phys), "%s/input0", gameport->phys); gf2k->length = gf2k_lens[gf2k->id]; diff --git a/drivers/input/joystick/grip.c b/drivers/input/joystick/grip.c index 20cb98ac2d79..17a90c436de8 100644 --- a/drivers/input/joystick/grip.c +++ b/drivers/input/joystick/grip.c @@ -354,7 +354,8 @@ static int grip_connect(struct gameport *gameport, struct gameport_driver *drv) goto fail3; } - sprintf(grip->phys[i], "%s/input%d", gameport->phys, i); + snprintf(grip->phys[i], sizeof(grip->phys[i]), + "%s/input%d", gameport->phys, i); input_dev->name = grip_name[grip->mode[i]]; input_dev->phys = grip->phys[i]; diff --git a/drivers/input/joystick/guillemot.c b/drivers/input/joystick/guillemot.c index 6e2c721c26ba..840ed9b512b2 100644 --- a/drivers/input/joystick/guillemot.c +++ b/drivers/input/joystick/guillemot.c @@ -222,7 +222,7 @@ static int guillemot_connect(struct gameport *gameport, struct gameport_driver * gameport_set_poll_handler(gameport, guillemot_poll); gameport_set_poll_interval(gameport, 20); - sprintf(guillemot->phys, "%s/input0", gameport->phys); + snprintf(guillemot->phys, sizeof(guillemot->phys), "%s/input0", gameport->phys); guillemot->type = guillemot_type + i; input_dev->name = guillemot_type[i].name; diff --git a/drivers/input/joystick/interact.c b/drivers/input/joystick/interact.c index c4ed01758226..bbfeb9c59b87 100644 --- a/drivers/input/joystick/interact.c +++ b/drivers/input/joystick/interact.c @@ -251,7 +251,7 @@ static int interact_connect(struct gameport *gameport, struct gameport_driver *d gameport_set_poll_handler(gameport, interact_poll); gameport_set_poll_interval(gameport, 20); - sprintf(interact->phys, "%s/input0", gameport->phys); + snprintf(interact->phys, sizeof(interact->phys), "%s/input0", gameport->phys); interact->type = i; interact->length = interact_type[i].length; diff --git a/drivers/input/joystick/magellan.c b/drivers/input/joystick/magellan.c index ca3cc2319d6a..168b1061a03b 100644 --- a/drivers/input/joystick/magellan.c +++ b/drivers/input/joystick/magellan.c @@ -162,7 +162,7 @@ static int magellan_connect(struct serio *serio, struct serio_driver *drv) goto fail; magellan->dev = input_dev; - sprintf(magellan->phys, "%s/input0", serio->phys); + snprintf(magellan->phys, sizeof(magellan->phys), "%s/input0", serio->phys); input_dev->name = "LogiCad3D Magellan / SpaceMouse"; input_dev->phys = magellan->phys; diff --git a/drivers/input/joystick/sidewinder.c b/drivers/input/joystick/sidewinder.c index 95c0de7964a0..e58b22c018e4 100644 --- a/drivers/input/joystick/sidewinder.c +++ b/drivers/input/joystick/sidewinder.c @@ -541,7 +541,7 @@ static void sw_print_packet(char *name, int length, unsigned char *buf, char bit * Unfortunately I don't know how to do this for the other SW types. */ -static void sw_3dp_id(unsigned char *buf, char *comment) +static void sw_3dp_id(unsigned char *buf, char *comment, size_t size) { int i; char pnp[8], rev[9]; @@ -554,7 +554,7 @@ static void sw_3dp_id(unsigned char *buf, char *comment) pnp[7] = rev[8] = 0; - sprintf(comment, " [PnP %d.%02d id %s rev %s]", + snprintf(comment, size, " [PnP %d.%02d id %s rev %s]", (int) ((sw_get_bits(buf, 8, 6, 1) << 6) | /* Two 6-bit values */ sw_get_bits(buf, 16, 6, 1)) / 100, (int) ((sw_get_bits(buf, 8, 6, 1) << 6) | @@ -695,7 +695,7 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv) sw->type = SW_ID_FFP; sprintf(comment, " [AC %s]", sw_get_bits(idbuf,38,1,3) ? "off" : "on"); } else - sw->type = SW_ID_PP; + sw->type = SW_ID_PP; break; case 66: sw->bits = 3; @@ -703,7 +703,8 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv) sw->length = 22; case 64: sw->type = SW_ID_3DP; - if (j == 160) sw_3dp_id(idbuf, comment); + if (j == 160) + sw_3dp_id(idbuf, comment, sizeof(comment)); break; } } @@ -733,8 +734,10 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv) for (i = 0; i < sw->number; i++) { int bits, code; - sprintf(sw->name, "Microsoft SideWinder %s", sw_name[sw->type]); - sprintf(sw->phys[i], "%s/input%d", gameport->phys, i); + snprintf(sw->name, sizeof(sw->name), + "Microsoft SideWinder %s", sw_name[sw->type]); + snprintf(sw->phys[i], sizeof(sw->phys[i]), + "%s/input%d", gameport->phys, i); sw->dev[i] = input_dev = input_allocate_device(); if (!input_dev) { diff --git a/drivers/input/joystick/spaceball.c b/drivers/input/joystick/spaceball.c index d6f8db8ec3fd..75eb5ca59992 100644 --- a/drivers/input/joystick/spaceball.c +++ b/drivers/input/joystick/spaceball.c @@ -220,7 +220,7 @@ static int spaceball_connect(struct serio *serio, struct serio_driver *drv) goto fail; spaceball->dev = input_dev; - sprintf(spaceball->phys, "%s/input0", serio->phys); + snprintf(spaceball->phys, sizeof(spaceball->phys), "%s/input0", serio->phys); input_dev->name = spaceball_names[id]; input_dev->phys = spaceball->phys; diff --git a/drivers/input/joystick/spaceorb.c b/drivers/input/joystick/spaceorb.c index 7c123a01c58e..3e2782e79834 100644 --- a/drivers/input/joystick/spaceorb.c +++ b/drivers/input/joystick/spaceorb.c @@ -177,7 +177,7 @@ static int spaceorb_connect(struct serio *serio, struct serio_driver *drv) goto fail; spaceorb->dev = input_dev; - sprintf(spaceorb->phys, "%s/input0", serio->phys); + snprintf(spaceorb->phys, sizeof(spaceorb->phys), "%s/input0", serio->phys); input_dev->name = "SpaceTec SpaceOrb 360 / Avenger"; input_dev->phys = spaceorb->phys; diff --git a/drivers/input/joystick/stinger.c b/drivers/input/joystick/stinger.c index 0a9ed1d30636..011ec4858e15 100644 --- a/drivers/input/joystick/stinger.c +++ b/drivers/input/joystick/stinger.c @@ -148,7 +148,7 @@ static int stinger_connect(struct serio *serio, struct serio_driver *drv) goto fail; stinger->dev = input_dev; - sprintf(stinger->phys, "%s/serio0", serio->phys); + snprintf(stinger->phys, sizeof(stinger->phys), "%s/serio0", serio->phys); input_dev->name = "Gravis Stinger"; input_dev->phys = stinger->phys; diff --git a/drivers/input/joystick/twidjoy.c b/drivers/input/joystick/twidjoy.c index 7f8b0093c5bc..076f237d9654 100644 --- a/drivers/input/joystick/twidjoy.c +++ b/drivers/input/joystick/twidjoy.c @@ -199,7 +199,7 @@ static int twidjoy_connect(struct serio *serio, struct serio_driver *drv) goto fail; twidjoy->dev = input_dev; - sprintf(twidjoy->phys, "%s/input0", serio->phys); + snprintf(twidjoy->phys, sizeof(twidjoy->phys), "%s/input0", serio->phys); input_dev->name = "Handykey Twiddler"; input_dev->phys = twidjoy->phys; diff --git a/drivers/input/joystick/warrior.c b/drivers/input/joystick/warrior.c index 1849b176cf18..f9c1a03214eb 100644 --- a/drivers/input/joystick/warrior.c +++ b/drivers/input/joystick/warrior.c @@ -154,7 +154,7 @@ static int warrior_connect(struct serio *serio, struct serio_driver *drv) goto fail; warrior->dev = input_dev; - sprintf(warrior->phys, "%s/input0", serio->phys); + snprintf(warrior->phys, sizeof(warrior->phys), "%s/input0", serio->phys); input_dev->name = "Logitech WingMan Warrior"; input_dev->phys = warrior->phys; -- 2.20.1