Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / rmi4utils / cf0d73307d11d7d4607d57aac6782c0949376746^! / . / rmidevice / hiddevice.cpp
commitcf0d73307d11d7d4607d57aac6782c0949376746[log] [tgz]
authorAndrew de los Reyes <adlr@google.com>Fri Sep 04 15:21:42 2015 -0700
committerAndrew Duggan <aduggan@synaptics.com>Thu Sep 10 11:16:24 2015 -0700
treef4a7c232f79888690beb291a75406e92fc8cf9d4
parent5f6172825c985c0904c21c6936fff8b677850b73 [diff] [blame]
HIDDevice: WriteDeviceNameToFile: check lengths, close return value

Addresses security concern:

WriteDeviceNameToFile does not check buffer lengths, and uses a fixed
size of 19, though this is likely safe due to how the kernel builds the
/sys tree entries. Also fails to check return code of "close".

diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index 3d80a3a..f6ccd58 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp

@@ -537,7 +537,7 @@
 		return false;
 
 	for (;;) {
-		size = write(fd, str, 19);
+		size = write(fd, str, strlen(str));
 		if (size < 0) {
 			if (errno == EINTR)
 				continue;
@@ -546,9 +546,8 @@
 		}
 		break;
 	}
-	close(fd);
 
-	return true;
+	return close(fd) == 0 && size == static_cast<ssize_t>(strlen(str));
 }
 
 void HIDDevice::RebindDriver()