Input: evdev - fix overflow in compat_ioctl
authorKenichi Nagai <kenichi3.nagai@toshiba.co.jp>
Fri, 11 May 2007 05:12:15 +0000 (01:12 -0400)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Fri, 11 May 2007 16:08:04 +0000 (09:08 -0700)
When exporting input device bitmaps via compat_ioctl on BIG_ENDIAN
platforms evdev calculates data size incorrectly. This causes buffer
overflow if user specifies buffer smaller than maxlen.

Signed-off-by: Kenichi Nagai <kenichi3.nagai@toshiba.co.jp>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/input/evdev.c

index 55a72592704cf5e1a497ae2805f6ff3c3f802c85..b234729706be800789dced2c155629e2bb448d03 100644 (file)
@@ -336,7 +336,7 @@ static int bits_to_user(unsigned long *bits, unsigned int maxbit,
 
        if (compat) {
                len = NBITS_COMPAT(maxbit) * sizeof(compat_long_t);
-               if (len < maxlen)
+               if (len > maxlen)
                        len = maxlen;
 
                for (i = 0; i < len / sizeof(compat_long_t); i++)