[PATCH] USB: hid-core: possible buffer overflow in hid-core.c

Peter Bartosch wrote:
> Hello all,
>
>
> i think i found a possible buffer overflow in hid-core (2.6.10-rc2):

Agreed, and sorry it took so long to reply/patch this.
(from 2004-DEC-01)

> when i interpret this code right, the buffer (buf) will overflow when
> the iManufacturer stringlength is 0 and the iProduct stringlength
> is > 64!

Thanks, here's a patch for it.

Fix potential buffer overflow (by a device descriptor):
buf size is only 64 bytes.
Signed-off-by: Randy Dunlap <rddunlap@osdl.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

drivers/usb/input/hid-core.c

@@ -1740,7 +1740,7 @@ static struct hid_device *usb_hid_configure(struct usb_interface *intf)
 		strcat(hid->name, buf);
 		if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0)
 			snprintf(hid->name, 64, "%s %s", hid->name, buf);
-	} else if (usb_string(dev, dev->descriptor.iProduct, buf, 128) > 0) {
+	} else if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0) {
 			snprintf(hid->name, 128, "%s", buf);
 	} else
 		snprintf(hid->name, 128, "%04x:%04x",