From 2b107d629dc0c35de606bb7b010b829cd247a93a Mon Sep 17 00:00:00 2001 From: Jiri Kosina Date: Wed, 17 Sep 2008 19:41:58 +0200 Subject: HID: fix incorrent length condition in hidraw_write() The bound check on the buffer length if (count > HID_MIN_BUFFER_SIZE) is of course incorrent, the proper check is if (count > HID_MAX_BUFFER_SIZE) Fix it. Reported-by: Jerry Ryle Signed-off-by: Jiri Kosina diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c index 4be240e..497e0d1 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t if (!dev->hid_output_raw_report) return -ENODEV; - if (count > HID_MIN_BUFFER_SIZE) { + if (count > HID_MAX_BUFFER_SIZE) { printk(KERN_WARNING "hidraw: pid %d passed too large report\n", task_pid_nr(current)); return -EINVAL; -- cgit v0.10.2