From cf0d73307d11d7d4607d57aac6782c0949376746 Mon Sep 17 00:00:00 2001
From: Andrew de los Reyes <adlr@google.com>
Date: Fri, 4 Sep 2015 15:21:42 -0700
Subject: HIDDevice: WriteDeviceNameToFile: check lengths, close return value

Addresses security concern:

WriteDeviceNameToFile does not check buffer lengths, and uses a fixed
size of 19, though this is likely safe due to how the kernel builds the
/sys tree entries. Also fails to check return code of "close".
---
 rmidevice/hiddevice.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index 3d80a3a..f6ccd58 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp
@@ -537,7 +537,7 @@ bool WriteDeviceNameToFile(const char * file, const char * str)
 		return false;
 
 	for (;;) {
-		size = write(fd, str, 19);
+		size = write(fd, str, strlen(str));
 		if (size < 0) {
 			if (errno == EINTR)
 				continue;
@@ -546,9 +546,8 @@ bool WriteDeviceNameToFile(const char * file, const char * str)
 		}
 		break;
 	}
-	close(fd);
 
-	return true;
+	return close(fd) == 0 && size == static_cast<ssize_t>(strlen(str));
 }
 
 void HIDDevice::RebindDriver()
-- 
cgit v1.2.3