Hello all,
i think i found a possible buffer overflow in hid-core (2.6.10-rc2): if (!(buf = kmalloc(64, GFP_KERNEL))) goto fail; if (usb_string(dev, dev->descriptor.iManufacturer, buf, 64) > 0) { strcat(hid->name, buf); if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0) snprintf(hid->name, 64, "%s %s", hid->name, buf); } else if (usb_string(dev, dev->descriptor.iProduct, buf, 128) > 0) { snprintf(hid->name, 128, "%s", buf); } else snprintf(hid->name, 128, "%04x:%04x", dev->descriptor.idVendor, dev->descriptor.idProduct); usb_make_path(dev, buf, 64); snprintf(hid->phys, 64, "%s/input%d", buf, intf->altsetting[0].desc.bInterfaceNumber); if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0) hid->uniq[0] = 0; when i interpret this code right, the buffer (buf) will overflow when the iManufacturer stringlength is 0 and the iProduct stringlength is > 64! yours, Peter Bartosch ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ [EMAIL PROTECTED] To unsubscribe, use the last form field at: https://lists.sourceforge.net/lists/listinfo/linux-usb-devel