diff options
author | Jason Gerecke <killertofu@gmail.com> | 2019-10-10 12:13:39 -0700 |
---|---|---|
committer | Jason Gerecke <killertofu@gmail.com> | 2019-10-23 13:43:55 -0700 |
commit | 2a7af30793f9aa6e36acdc7c8b908d0965585437 (patch) | |
tree | 428224deaf146c9c1fce4452104448a696c40fef | |
parent | 17028f68f5ca41cf6c77e4166e48006e6c3fff45 (diff) | |
download | xf86-input-wacom-2a7af30793f9aa6e36acdc7c8b908d0965585437.tar.gz |
tools: Fix potential buffer overflow when reading from serial tablet
The read_data() function has a "min_len" number of bytes to read
to ensure that a complete data structure is read, regardless of garbage
that may be on the line. When garbage is present, however, it can
potentially overflow the buffer.
The function already has code to memmove the good data over garbage and
perform re-reads until "min_len" bytes of good data are available. All
we need to do to avoid the buffer overflow is ensure that the maximum
number of bytes we read() in one call is no more than the number of
bytes free at the end of the buffer.
Ref: https://github.com/linuxwacom/xf86-input-wacom/issues/86
Fixes: 3546d8ab1b ("tools: add isdv4-serial-debugger test program")
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
-rw-r--r-- | tools/tools-shared.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/tools-shared.c b/tools/tools-shared.c index c55e8ca..c10d8e8 100644 --- a/tools/tools-shared.c +++ b/tools/tools-shared.c @@ -219,7 +219,7 @@ int read_data(int fd, unsigned char* buffer, int min_len) TRACE("Reading %d bytes from device.\n", min_len); redo: do { - int l = read(fd, &buffer[len], min_len); + int l = read(fd, &buffer[len], min_len - len); if (l == -1) { if (errno != EAGAIN) { |