Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object | linux-input

[PATCH 00/20] cleanup atmel_mxt_ts · Daniel Kurtz <hidden> · 2012-03-13
[PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object · Joonyoung Shim <hidden> · 2012-03-14
Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object · Daniel Kurtz <hidden> · 2012-03-14
Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object · Joonyoung Shim <hidden> · 2012-03-14
[PATCH 01/20] Input: atmel_mxt_ts - use CONFIG_PM_SLEEP · Daniel Kurtz <hidden> · 2012-03-13
[PATCH 19/20] Input: atmel_mxt_ts - remove mxt_make_highchg and parse T6 report · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 19/20] Input: atmel_mxt_ts - remove mxt_make_highchg and parse T6 report · Nick Dyer <hidden> · 2012-03-20
Re: [PATCH 19/20] Input: atmel_mxt_ts - remove mxt_make_highchg and parse T6 report · Daniel Kurtz <hidden> · 2012-03-29
Re: [PATCH 19/20] Input: atmel_mxt_ts - remove mxt_make_highchg and parse T6 report · Nick Dyer <hidden> · 2012-03-30
[PATCH 09/20] Input: atmel_mxt_ts - do not read extra (checksum) byte · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 09/20] Input: atmel_mxt_ts - do not read extra (checksum) byte · Nick Dyer <hidden> · 2012-03-20
RE: [PATCH 09/20] Input: atmel_mxt_ts - do not read extra (checksum) byte · Bowens, Alan <hidden> · 2012-03-22
[PATCH 17/20] Input: atmel_mxt_ts - use cached T9 reportid range in isr · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 17/20] Input: atmel_mxt_ts - use cached T9 reportid range in isr · Nick Dyer <hidden> · 2012-03-20
[PATCH 11/20] Input: atmel_mxt_ts - refactor mxt_object_show · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 11/20] Input: atmel_mxt_ts - refactor mxt_object_show · Nick Dyer <hidden> · 2012-03-20
[PATCH 16/20] Input: atmel_mxt_ts - refactor get info · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 16/20] Input: atmel_mxt_ts - refactor get info · Nick Dyer <hidden> · 2012-03-20
[PATCH 07/20] Input: atmel_mxt_ts - add backupnv sysfs entry · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 07/20] Input: atmel_mxt_ts - add backupnv sysfs entry · Nick Dyer <hidden> · 2012-03-20
[PATCH 08/20] Input: atmel_mxt_ts - store actual size and instance · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 08/20] Input: atmel_mxt_ts - store actual size and instance · Nick Dyer <hidden> · 2012-03-20
[PATCH 14/20] Input: atmel_mxt_ts - refactor reading object table · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 14/20] Input: atmel_mxt_ts - refactor reading object table · Nick Dyer <hidden> · 2012-03-20
[PATCH 13/20] Input: atmel_mxt_ts - parse vector field of data packets · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 13/20] Input: atmel_mxt_ts - parse vector field of data packets · Nick Dyer <hidden> · 2012-03-20
[PATCH 12/20] Input: atmel_mxt_ts - simplify event reporting · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 12/20] Input: atmel_mxt_ts - simplify event reporting · Henrik Rydberg <hidden> · 2012-03-19
Re: [PATCH 12/20] Input: atmel_mxt_ts - simplify event reporting · Daniel Kurtz <hidden> · 2012-03-19
Re: [PATCH 12/20] Input: atmel_mxt_ts - simplify event reporting · Nick Dyer <hidden> · 2012-03-20
[PATCH 05/20] Input: atmel_mxt_ts - dump mxt_read/write_reg · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 05/20] Input: atmel_mxt_ts - dump mxt_read/write_reg · Nick Dyer <hidden> · 2012-03-20
[PATCH 04/20] Input: atmel_mxt_ts - refactor mxt_read/write_reg to take a length · Daniel Kurtz <hidden> · 2012-03-13
[PATCH 10/20] Input: atmel_mxt_ts - dump each message on just 1 line · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 10/20] Input: atmel_mxt_ts - dump each message on just 1 line · Nick Dyer <hidden> · 2012-03-20
[PATCH 02/20] Input: atmel_mxt_ts - only allow root to update firmware · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 02/20] Input: atmel_mxt_ts - only allow root to update firmware · Nick Dyer <hidden> · 2012-03-20
[PATCH 06/20] Input: atmel_mxt_ts - allow writing to object sysfs entry · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 06/20] Input: atmel_mxt_ts - allow writing to object sysfs entry · Henrik Rydberg <hidden> · 2012-03-19
Re: [PATCH 06/20] Input: atmel_mxt_ts - allow writing to object sysfs entry · Daniel Kurtz <hidden> · 2012-03-19
Re: [PATCH 06/20] Input: atmel_mxt_ts - allow writing to object sysfs entry · Nick Dyer <hidden> · 2012-03-20
Re: [PATCH 06/20] Input: atmel_mxt_ts - allow writing to object sysfs entry · Alan Cox <hidden> · 2012-03-20
Re: [PATCH 06/20] Input: atmel_mxt_ts - allow writing to object sysfs entry · Nick Dyer <hidden> · 2012-03-20
[PATCH 15/20] Input: atmel_mxt_ts - optimize writing of object table entries · Daniel Kurtz <hidden> · 2012-03-13
[PATCH 18/20] Input: atmel_mxt_ts - read num messages, then all messages · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 18/20] Input: atmel_mxt_ts - read num messages, then all messages · Joonyoung Shim <hidden> · 2012-03-14
Re: [PATCH 18/20] Input: atmel_mxt_ts - read num messages, then all messages · Daniel Kurtz <hidden> · 2012-03-14
Re: [PATCH 18/20] Input: atmel_mxt_ts - read num messages, then all messages · Nick Dyer <hidden> · 2012-03-20
[PATCH 20/20] Input: atmel_mxt_ts - send all MT-B slots in one input report · Daniel Kurtz <hidden> · 2012-03-13
Re: [PATCH 20/20] Input: atmel_mxt_ts - send all MT-B slots in one input report · Nick Dyer <hidden> · 2012-03-20
Re: [PATCH 00/20] cleanup atmel_mxt_ts · Joonyoung Shim <hidden> · 2012-03-14
RE: [PATCH 00/20] cleanup atmel_mxt_ts · Valkonen, Iiro <hidden> · 2012-03-14
Re: [PATCH 00/20] cleanup atmel_mxt_ts · Nick Dyer <hidden> · 2012-03-20

Re: [PATCH 03/20] Input: atmel_mxt_ts - verify object size in mxt_write_object

From: Daniel Kurtz <hidden>
Date: 2012-03-14 02:14:09
Also in: lkml

On Wed, Mar 14, 2012 at 9:33 AM, Joonyoung Shim [off-list ref] wrote:

On 03/13/2012 09:04 PM, Daniel Kurtz wrote:

quoted

Don't allow writing past the length of an object.

Signed-off-by: Daniel Kurtz<redacted>
---
 drivers/input/touchscreen/atmel_mxt_ts.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c

b/drivers/input/touchscreen/atmel_mxt_ts.c
index 0d4d492..e18c698 100644

--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c

@@ -506,7 +506,7 @@ static int mxt_write_object(struct mxt_data *data,

       u16 reg;

       object = mxt_get_object(data, type);
-       if (!object)
+       if (!object || offset>= object->size)


The object->size is actual object size - 1.

+       if (!object || offset>  object->size)

Whoops.  Good catch.  Will move this patch after patch 08, which fixes
the object size.

quoted

               return -EINVAL;

       reg = object->start_address;

--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help