Hi On Thu, Feb 20, 2014 at 5:36 PM, Frank Praznik <[email protected]> wrote: > Make sure that an out-of-bounds read doesn't occur in the Sixaxis battery > level > lookup table in the event that the controller sends an invalid battery status > value in the report. > > Signed-off-by: Frank Praznik <[email protected]> > --- > drivers/hid/hid-sony.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c > index a51a9c0..b39e3ab 100644 > --- a/drivers/hid/hid-sony.c > +++ b/drivers/hid/hid-sony.c > @@ -854,7 +854,8 @@ static void sixaxis_parse_report(struct sony_sc *sc, __u8 > *rd, int size) > battery_capacity = 100; > battery_charging = !(rd[30] & 0x01); > } else { > - battery_capacity = sixaxis_battery_capacity[rd[30]]; > + __u8 index = rd[30] <= 5 ? rd[30] : 5; > + battery_capacity = sixaxis_battery_capacity[index];
Does it make sense to read something else on invalid reports? Sounds weird to me to just read at a lower index in case it's too short. Shouldn't you just bail out? But the worst that can happen is wrong battery values reported to user-space, so I'm fine with it. Thanks David > battery_charging = 0; > } > cable_state = !((rd[31] >> 4) & 0x01); > -- > 1.8.5.3 > -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
