Input: fix potential overflows in driver/input/joystick
Dmitry Torokhov [Mon, 26 Jun 2006 05:45:48 +0000 (01:45 -0400)]
Change all sprintfs into snprintfs to make sure we won't stomp on
data adjacent to our buffers.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

16 files changed:
drivers/input/joystick/a3d.c
drivers/input/joystick/analog.c
drivers/input/joystick/cobra.c
drivers/input/joystick/db9.c
drivers/input/joystick/gamecon.c
drivers/input/joystick/gf2k.c
drivers/input/joystick/grip.c
drivers/input/joystick/guillemot.c
drivers/input/joystick/interact.c
drivers/input/joystick/magellan.c
drivers/input/joystick/sidewinder.c
drivers/input/joystick/spaceball.c
drivers/input/joystick/spaceorb.c
drivers/input/joystick/stinger.c
drivers/input/joystick/twidjoy.c
drivers/input/joystick/warrior.c

index 4612d13..b11a4bb 100644 (file)
@@ -306,7 +306,7 @@ static int a3d_connect(struct gameport *gameport, struct gameport_driver *drv)
        gameport_set_poll_handler(gameport, a3d_poll);
        gameport_set_poll_interval(gameport, 20);
 
-       sprintf(a3d->phys, "%s/input0", gameport->phys);
+       snprintf(a3d->phys, sizeof(a3d->phys), "%s/input0", gameport->phys);
 
        input_dev->name = a3d_names[a3d->mode];
        input_dev->phys = a3d->phys;
index 3121961..01dc0b1 100644 (file)
@@ -408,21 +408,23 @@ static void analog_calibrate_timer(struct analog_port *port)
 
 static void analog_name(struct analog *analog)
 {
-       sprintf(analog->name, "Analog %d-axis %d-button",
-               hweight8(analog->mask & ANALOG_AXES_STD),
-               hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
-               hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
+       snprintf(analog->name, sizeof(analog->name), "Analog %d-axis %d-button",
+                hweight8(analog->mask & ANALOG_AXES_STD),
+                hweight8(analog->mask & ANALOG_BTNS_STD) + !!(analog->mask & ANALOG_BTNS_CHF) * 2 +
+                hweight16(analog->mask & ANALOG_BTNS_GAMEPAD) + !!(analog->mask & ANALOG_HBTN_CHF) * 4);
 
        if (analog->mask & ANALOG_HATS_ALL)
-               sprintf(analog->name, "%s %d-hat",
-                       analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
+               snprintf(analog->name, sizeof(analog->name), "%s %d-hat",
+                        analog->name, hweight16(analog->mask & ANALOG_HATS_ALL));
 
        if (analog->mask & ANALOG_HAT_FCS)
-                       strcat(analog->name, " FCS");
+               strlcat(analog->name, " FCS", sizeof(analog->name));
        if (analog->mask & ANALOG_ANY_CHF)
-                       strcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF");
+               strlcat(analog->name, (analog->mask & ANALOG_SAITEK) ? " Saitek" : " CHF",
+                       sizeof(analog->name));
 
-       strcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick");
+       strlcat(analog->name, (analog->mask & ANALOG_GAMEPAD) ? " gamepad": " joystick",
+               sizeof(analog->name));
 }
 
 /*
@@ -435,7 +437,8 @@ static int analog_init_device(struct analog_port *port, struct analog *analog, i
        int i, j, t, v, w, x, y, z;
 
        analog_name(analog);
-       sprintf(analog->phys, "%s/input%d", port->gameport->phys, index);
+       snprintf(analog->phys, sizeof(analog->phys),
+                "%s/input%d", port->gameport->phys, index);
        analog->buttons = (analog->mask & ANALOG_GAMEPAD) ? analog_pad_btn : analog_joy_btn;
 
        analog->dev = input_dev = input_allocate_device();
index 1909f7e..d5e42eb 100644 (file)
@@ -202,7 +202,8 @@ static int cobra_connect(struct gameport *gameport, struct gameport_driver *drv)
                        goto fail3;
                }
 
-               sprintf(cobra->phys[i], "%s/input%d", gameport->phys, i);
+               snprintf(cobra->phys[i], sizeof(cobra->phys[i]),
+                        "%s/input%d", gameport->phys, i);
 
                input_dev->name = "Creative Labs Blaster GamePad Cobra";
                input_dev->phys = cobra->phys[i];
index e618946..6f31f05 100644 (file)
@@ -620,7 +620,8 @@ static struct db9 __init *db9_probe(int parport, int mode)
                        goto err_unreg_devs;
                }
 
-               sprintf(db9->phys[i], "%s/input%d", db9->pd->port->name, i);
+               snprintf(db9->phys[i], sizeof(db9->phys[i]),
+                        "%s/input%d", db9->pd->port->name, i);
 
                input_dev->name = db9_mode->name;
                input_dev->phys = db9->phys[i];
index ecbdb6b..fe12aa3 100644 (file)
@@ -761,7 +761,8 @@ static struct gc __init *gc_probe(int parport, int *pads, int n_pads)
                if (!pads[i])
                        continue;
 
-               sprintf(gc->phys[i], "%s/input%d", gc->pd->port->name, i);
+               snprintf(gc->phys[i], sizeof(gc->phys[i]),
+                        "%s/input%d", gc->pd->port->name, i);
                err = gc_setup_pad(gc, i, pads[i]);
                if (err)
                        goto err_unreg_devs;
index 8a3ad45..e4a699f 100644 (file)
@@ -298,7 +298,7 @@ static int gf2k_connect(struct gameport *gameport, struct gameport_driver *drv)
        gameport_set_poll_handler(gameport, gf2k_poll);
        gameport_set_poll_interval(gameport, 20);
 
-       sprintf(gf2k->phys, "%s/input0", gameport->phys);
+       snprintf(gf2k->phys, sizeof(gf2k->phys), "%s/input0", gameport->phys);
 
        gf2k->length = gf2k_lens[gf2k->id];
 
index 20cb98a..17a90c4 100644 (file)
@@ -354,7 +354,8 @@ static int grip_connect(struct gameport *gameport, struct gameport_driver *drv)
                        goto fail3;
                }
 
-               sprintf(grip->phys[i], "%s/input%d", gameport->phys, i);
+               snprintf(grip->phys[i], sizeof(grip->phys[i]),
+                        "%s/input%d", gameport->phys, i);
 
                input_dev->name = grip_name[grip->mode[i]];
                input_dev->phys = grip->phys[i];
index 6e2c721..840ed9b 100644 (file)
@@ -222,7 +222,7 @@ static int guillemot_connect(struct gameport *gameport, struct gameport_driver *
        gameport_set_poll_handler(gameport, guillemot_poll);
        gameport_set_poll_interval(gameport, 20);
 
-       sprintf(guillemot->phys, "%s/input0", gameport->phys);
+       snprintf(guillemot->phys, sizeof(guillemot->phys), "%s/input0", gameport->phys);
        guillemot->type = guillemot_type + i;
 
        input_dev->name = guillemot_type[i].name;
index c4ed017..bbfeb9c 100644 (file)
@@ -251,7 +251,7 @@ static int interact_connect(struct gameport *gameport, struct gameport_driver *d
        gameport_set_poll_handler(gameport, interact_poll);
        gameport_set_poll_interval(gameport, 20);
 
-       sprintf(interact->phys, "%s/input0", gameport->phys);
+       snprintf(interact->phys, sizeof(interact->phys), "%s/input0", gameport->phys);
 
        interact->type = i;
        interact->length = interact_type[i].length;
index ca3cc23..168b106 100644 (file)
@@ -162,7 +162,7 @@ static int magellan_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        magellan->dev = input_dev;
-       sprintf(magellan->phys, "%s/input0", serio->phys);
+       snprintf(magellan->phys, sizeof(magellan->phys), "%s/input0", serio->phys);
 
        input_dev->name = "LogiCad3D Magellan / SpaceMouse";
        input_dev->phys = magellan->phys;
index 95c0de7..e58b22c 100644 (file)
@@ -541,7 +541,7 @@ static void sw_print_packet(char *name, int length, unsigned char *buf, char bit
  * Unfortunately I don't know how to do this for the other SW types.
  */
 
-static void sw_3dp_id(unsigned char *buf, char *comment)
+static void sw_3dp_id(unsigned char *buf, char *comment, size_t size)
 {
        int i;
        char pnp[8], rev[9];
@@ -554,7 +554,7 @@ static void sw_3dp_id(unsigned char *buf, char *comment)
 
        pnp[7] = rev[8] = 0;
 
-       sprintf(comment, " [PnP %d.%02d id %s rev %s]",
+       snprintf(comment, size, " [PnP %d.%02d id %s rev %s]",
                (int) ((sw_get_bits(buf, 8, 6, 1) << 6) |               /* Two 6-bit values */
                        sw_get_bits(buf, 16, 6, 1)) / 100,
                (int) ((sw_get_bits(buf, 8, 6, 1) << 6) |
@@ -695,7 +695,7 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
                                                sw->type = SW_ID_FFP;
                                                sprintf(comment, " [AC %s]", sw_get_bits(idbuf,38,1,3) ? "off" : "on");
                                        } else
-                                       sw->type = SW_ID_PP;
+                                               sw->type = SW_ID_PP;
                                        break;
                                case 66:
                                        sw->bits = 3;
@@ -703,7 +703,8 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
                                        sw->length = 22;
                                case 64:
                                        sw->type = SW_ID_3DP;
-                                       if (j == 160) sw_3dp_id(idbuf, comment);
+                                       if (j == 160)
+                                               sw_3dp_id(idbuf, comment, sizeof(comment));
                                        break;
                        }
                }
@@ -733,8 +734,10 @@ static int sw_connect(struct gameport *gameport, struct gameport_driver *drv)
        for (i = 0; i < sw->number; i++) {
                int bits, code;
 
-               sprintf(sw->name, "Microsoft SideWinder %s", sw_name[sw->type]);
-               sprintf(sw->phys[i], "%s/input%d", gameport->phys, i);
+               snprintf(sw->name, sizeof(sw->name),
+                        "Microsoft SideWinder %s", sw_name[sw->type]);
+               snprintf(sw->phys[i], sizeof(sw->phys[i]),
+                        "%s/input%d", gameport->phys, i);
 
                sw->dev[i] = input_dev = input_allocate_device();
                if (!input_dev) {
index d6f8db8..75eb5ca 100644 (file)
@@ -220,7 +220,7 @@ static int spaceball_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        spaceball->dev = input_dev;
-       sprintf(spaceball->phys, "%s/input0", serio->phys);
+       snprintf(spaceball->phys, sizeof(spaceball->phys), "%s/input0", serio->phys);
 
        input_dev->name = spaceball_names[id];
        input_dev->phys = spaceball->phys;
index 7c123a0..3e2782e 100644 (file)
@@ -177,7 +177,7 @@ static int spaceorb_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        spaceorb->dev = input_dev;
-       sprintf(spaceorb->phys, "%s/input0", serio->phys);
+       snprintf(spaceorb->phys, sizeof(spaceorb->phys), "%s/input0", serio->phys);
 
        input_dev->name = "SpaceTec SpaceOrb 360 / Avenger";
        input_dev->phys = spaceorb->phys;
index 0a9ed1d..011ec48 100644 (file)
@@ -148,7 +148,7 @@ static int stinger_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        stinger->dev = input_dev;
-       sprintf(stinger->phys, "%s/serio0", serio->phys);
+       snprintf(stinger->phys, sizeof(stinger->phys), "%s/serio0", serio->phys);
 
        input_dev->name = "Gravis Stinger";
        input_dev->phys = stinger->phys;
index 7f8b009..076f237 100644 (file)
@@ -199,7 +199,7 @@ static int twidjoy_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        twidjoy->dev = input_dev;
-       sprintf(twidjoy->phys, "%s/input0", serio->phys);
+       snprintf(twidjoy->phys, sizeof(twidjoy->phys), "%s/input0", serio->phys);
 
        input_dev->name = "Handykey Twiddler";
        input_dev->phys = twidjoy->phys;
index 1849b17..f9c1a03 100644 (file)
@@ -154,7 +154,7 @@ static int warrior_connect(struct serio *serio, struct serio_driver *drv)
                goto fail;
 
        warrior->dev = input_dev;
-       sprintf(warrior->phys, "%s/input0", serio->phys);
+       snprintf(warrior->phys, sizeof(warrior->phys), "%s/input0", serio->phys);
 
        input_dev->name = "Logitech WingMan Warrior";
        input_dev->phys = warrior->phys;