Hello all,
i think i found a possible buffer overflow in hid-core (2.6.10-rc2):
if (!(buf = kmalloc(64, GFP_KERNEL)))
goto fail;
if (usb_string(dev, dev->descriptor.iManufacturer, buf, 64) > 0) {
strcat(hid->name, buf);
if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0)
snprintf(hid->name, 64, "%s %s", hid->name, buf);
} else if (usb_string(dev, dev->descriptor.iProduct, buf, 128) > 0) {
snprintf(hid->name, 128, "%s", buf);
} else
snprintf(hid->name, 128, "%04x:%04x", dev->descriptor.idVendor,
dev->descriptor.idProduct);
usb_make_path(dev, buf, 64);
snprintf(hid->phys, 64, "%s/input%d", buf,
intf->altsetting[0].desc.bInterfaceNumber);
if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0)
hid->uniq[0] = 0;
when i interpret this code right, the buffer (buf) will overflow when
the iManufacturer stringlength is 0 and the iProduct stringlength
is > 64!
yours,
Peter Bartosch
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
