[PATCH] Fix incorrect usage of strncpy and strncat in i8042_pnp_kbd_probe(); drivers/input/serio/i8042-x86ia64io.h
From: Roel Kluin <hidden>
Date: 2007-11-05 20:24:34
Subsystem:
input (keyboard, mouse, joystick, touchscreen) drivers, the rest · Maintainers:
Dmitry Torokhov, Linus Torvalds
See http://www.gratisoft.us/todd/papers/strlcpy.html -- Fix incorrect length argument for strncpy and strncat by replacing them with respectively strlcpy and strlcat Signed-off-by: Roel Kluin <redacted> ---
diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
index f8fe421..4e6bd5f 100644
--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h@@ -288,6 +288,8 @@ static char i8042_pnp_aux_name[32]; static int i8042_pnp_kbd_probe(struct pnp_dev *dev, const struct pnp_device_id *did) { + const unsigned int nsize = sizeof(i8042_pnp_kbd_name); + if (pnp_port_valid(dev, 0) && pnp_port_len(dev, 0) == 1) i8042_pnp_data_reg = pnp_port_start(dev,0);
@@ -297,10 +299,16 @@ static int i8042_pnp_kbd_probe(struct pnp_dev *dev, const struct pnp_device_id * if (pnp_irq_valid(dev,0)) i8042_pnp_kbd_irq = pnp_irq(dev, 0); - strncpy(i8042_pnp_kbd_name, did->id, sizeof(i8042_pnp_kbd_name)); + if (strlcpy(i8042_pnp_kbd_name, did->id, nsize) >= nsize) + return -ENAMETOOLONG; + if (strlen(pnp_dev_name(dev))) { - strncat(i8042_pnp_kbd_name, ":", sizeof(i8042_pnp_kbd_name)); - strncat(i8042_pnp_kbd_name, pnp_dev_name(dev), sizeof(i8042_pnp_kbd_name)); + if (strlcat(i8042_pnp_kbd_name, ":", nsize) >= nsize) + return -ENAMETOOLONG; + + if (strlcat(i8042_pnp_kbd_name, pnp_dev_name(dev), nsize) >= nsize) + return -ENAMETOOLONG; + } i8042_pnp_kbd_devices++;
@@ -309,6 +317,8 @@ static int i8042_pnp_kbd_probe(struct pnp_dev *dev, const struct pnp_device_id * static int i8042_pnp_aux_probe(struct pnp_dev *dev, const struct pnp_device_id *did) { + const unsigned int nsize = sizeof(i8042_pnp_aux_name); + if (pnp_port_valid(dev, 0) && pnp_port_len(dev, 0) == 1) i8042_pnp_data_reg = pnp_port_start(dev,0);
@@ -318,10 +328,15 @@ static int i8042_pnp_aux_probe(struct pnp_dev *dev, const struct pnp_device_id * if (pnp_irq_valid(dev, 0)) i8042_pnp_aux_irq = pnp_irq(dev, 0); - strncpy(i8042_pnp_aux_name, did->id, sizeof(i8042_pnp_aux_name)); + if (strlcpy(i8042_pnp_aux_name, did->id, nsize) >= nsize) + return -ENAMETOOLONG; + if (strlen(pnp_dev_name(dev))) { - strncat(i8042_pnp_aux_name, ":", sizeof(i8042_pnp_aux_name)); - strncat(i8042_pnp_aux_name, pnp_dev_name(dev), sizeof(i8042_pnp_aux_name)); + if (strlcat(i8042_pnp_aux_name, ":", nsize) >= nsize) + return -ENAMETOOLONG; + + if (strlcat(i8042_pnp_aux_name, pnp_dev_name(dev), nsize) >= nsize) + return -ENAMETOOLONG; } i8042_pnp_aux_devices++;