system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 18:56:38 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hid: Handle errors from copyin() in ioctl handlers

Browse source 
If copyin() fails, the driver will proceed blindly with a zeroed buffer,
which is not what we want.  In preparation for annotating copyin() with
__result_use_check, start checking for errors.

Reviewed by:	wulf
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D43102
This commit is contained in:
Mark Johnston 2023-12-25 20:37:49 -05:00
parent 81eb7baa69
commit e452fa70d5
1 changed files with 20 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
sys/dev/hid/hidraw.c
View file

@ -674,13 +674,16 @@ hidraw_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
sc->sc_state.quiet = true;
mtx_unlock(&sc->sc_mtx);
if (error != 0)
return(error);
return (error);
buf = HIDRAW_LOCAL_ALLOC(local_buf, hgd->hgd_maxlen);
copyin(hgd->hgd_data, buf, hgd->hgd_maxlen);
bus_topo_lock();
error = hid_set_report_descr(sc->sc_dev, buf, hgd->hgd_maxlen);
bus_topo_unlock();
error = copyin(hgd->hgd_data, buf, hgd->hgd_maxlen);
if (error == 0) {
bus_topo_lock();
error = hid_set_report_descr(sc->sc_dev, buf,
hgd->hgd_maxlen);
bus_topo_unlock();
}
HIDRAW_LOCAL_FREE(local_buf, buf);
/* Realloc hidraw input queue */
@ -737,8 +740,11 @@ hidraw_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
default:
return (EINVAL);
}
if (id != 0)
copyin(hgd->hgd_data, &id, 1);
if (id != 0) {
error = copyin(hgd->hgd_data, &id, 1);
if (error != 0)
return (error);
}
size = MIN(hgd->hgd_maxlen, size);
buf = HIDRAW_LOCAL_ALLOC(local_buf, size);
error = hid_get_report(sc->sc_dev, buf, size, NULL,
@ -775,11 +781,13 @@ hidraw_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
}
size = MIN(hgd->hgd_maxlen, size);
buf = HIDRAW_LOCAL_ALLOC(local_buf, size);
copyin(hgd->hgd_data, buf, size);
if (id != 0)
id = *(uint8_t *)buf;
error = hid_set_report(sc->sc_dev, buf, size,
hgd->hgd_report_type, id);
error = copyin(hgd->hgd_data, buf, size);
if (error == 0) {
if (id != 0)
id = *(uint8_t *)buf;
error = hid_set_report(sc->sc_dev, buf, size,
hgd->hgd_report_type, id);
}
HIDRAW_LOCAL_FREE(local_buf, buf);
return (error);