[PATCH] HID: Fixed a crash in hid_report_raw_event() function.
From: Armando Visconti <hidden>
Date: 2011-05-19 19:41:46
Also in:
lkml
Subsystem:
hid core layer, the rest · Maintainers:
Jiri Kosina, Benjamin Tissoires, Linus Torvalds
I'm using a Data Modul EasyTouch USB multitouch controller, which is issuing a hid report with a size equals to 0. The rsize value gets set to 536870912 and Linux is crashing in the memset because the value is too big. Signed-off-by: Armando Visconti <redacted> --- drivers/hid/hid-core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index c3d6626..3e972e3 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c@@ -1045,6 +1045,9 @@ void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, rsize = ((report->size - 1) >> 3) + 1; + if (rsize > HID_MAX_BUFFER_SIZE) + rsize = HID_MAX_BUFFER_SIZE; + if (csize < rsize) { dbg_hid("report %d is too short, (%d < %d)\n", report->id, csize, rsize);
--
1.7.4