Blob Blame History Raw
From 2a7af30793f9aa6e36acdc7c8b908d0965585437 Mon Sep 17 00:00:00 2001
From: Jason Gerecke <killertofu@gmail.com>
Date: Thu, 10 Oct 2019 12:13:39 -0700
Subject: [PATCH] tools: Fix potential buffer overflow when reading from serial
 tablet

The read_data() function has a "min_len" number of bytes to read
to ensure that a complete data structure is read, regardless of garbage
that may be on the line. When garbage is present, however, it can
potentially overflow the buffer.

The function already has code to memmove the good data over garbage and
perform re-reads until "min_len" bytes of good data are available. All
we need to do to avoid the buffer overflow is ensure that the maximum
number of bytes we read() in one call is no more than the number of
bytes free at the end of the buffer.

Ref: https://github.com/linuxwacom/xf86-input-wacom/issues/86
Fixes: 3546d8ab1b ("tools: add isdv4-serial-debugger test program")
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
---
 tools/tools-shared.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/tools-shared.c b/tools/tools-shared.c
index c55e8ca1..c10d8e86 100644
--- a/tools/tools-shared.c
+++ b/tools/tools-shared.c
@@ -219,7 +219,7 @@ int read_data(int fd, unsigned char* buffer, int min_len)
 	TRACE("Reading %d bytes from device.\n", min_len);
 redo:
 	do {
-		int l = read(fd, &buffer[len], min_len);
+		int l = read(fd, &buffer[len], min_len - len);
 
 		if (l == -1) {
 			if (errno != EAGAIN) {
-- 
2.23.0