diff options
| author | Andrew de los Reyes <adlr@google.com> | 2015-09-04 15:21:42 -0700 |
|---|---|---|
| committer | Andrew Duggan <aduggan@synaptics.com> | 2015-09-10 11:16:24 -0700 |
| commit | cf0d73307d11d7d4607d57aac6782c0949376746 (patch) | |
| tree | f4a7c232f79888690beb291a75406e92fc8cf9d4 | |
| parent | 5f6172825c985c0904c21c6936fff8b677850b73 (diff) | |
| download | rmi4utils-cf0d73307d11d7d4607d57aac6782c0949376746.tar.gz | |
HIDDevice: WriteDeviceNameToFile: check lengths, close return value
Addresses security concern:
WriteDeviceNameToFile does not check buffer lengths, and uses a fixed
size of 19, though this is likely safe due to how the kernel builds the
/sys tree entries. Also fails to check return code of "close".
| -rw-r--r-- | rmidevice/hiddevice.cpp | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp index 3d80a3a..f6ccd58 100644 --- a/rmidevice/hiddevice.cpp +++ b/rmidevice/hiddevice.cpp @@ -537,7 +537,7 @@ bool WriteDeviceNameToFile(const char * file, const char * str) return false; for (;;) { - size = write(fd, str, 19); + size = write(fd, str, strlen(str)); if (size < 0) { if (errno == EINTR) continue; @@ -546,9 +546,8 @@ bool WriteDeviceNameToFile(const char * file, const char * str) } break; } - close(fd); - return true; + return close(fd) == 0 && size == static_cast<ssize_t>(strlen(str)); } void HIDDevice::RebindDriver() |