1. 13 10月, 2011 1 次提交
    • D
      Input: force feedback - potential integer wrap in input_ff_create() · 05be8b81
      Dan Carpenter 提交于
      The problem here is that max_effects can wrap on 32 bits systems.
      We'd allocate a smaller amount of data than sizeof(struct ff_device).
      The call to kcalloc() on the next line would fail but it would write
      the NULL return outside of the memory we just allocated causing data
      corruption.
      
      The call path is that uinput_setup_device() get ->ff_effects_max from
      the user and sets the value in the ->private_data struct.  From there
      it is:
      -> uinput_ioctl_handler()
         -> uinput_create_device()
            -> input_ff_create(dev, udev->ff_effects_max);
      
      I've also changed ff_effects_max so it's an unsigned int instead of
      a signed int as a cleanup.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDmitry Torokhov <dtor@mail.ru>
      05be8b81
  2. 12 10月, 2011 1 次提交
  3. 11 10月, 2011 10 次提交
  4. 10 10月, 2011 3 次提交
  5. 07 10月, 2011 5 次提交
  6. 05 10月, 2011 4 次提交
  7. 29 9月, 2011 1 次提交
  8. 21 9月, 2011 10 次提交
  9. 10 9月, 2011 5 次提交