Thread (43 messages) 43 messages, 3 authors, 2012-12-05
STALE4929d

[PATCH 14/14] HID: i2c-hid: fix i2c_hid_get_raw_report count mismatches

From: Benjamin Tissoires <hidden>
Date: 2012-12-04 15:28:42
Also in: linux-i2c, lkml
Subsystem: hid core layer, the rest · Maintainers: Jiri Kosina, Benjamin Tissoires, Linus Torvalds 

The previous memcpy implementation relied on the size advertized by the
device. There were no guarantees that buf was big enough.

Some gymnastic is also required with the +2/-2 to take into account
the first 2 bytes where the total length is supplied by the device.

Signed-off-by: Benjamin Tissoires <redacted>
---
 drivers/hid/i2c-hid/i2c-hid.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 62988f1..de3566f 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -503,13 +503,14 @@ static int i2c_hid_get_raw_report(struct hid_device *hid,
 {
 	struct i2c_client *client = hid->driver_data;
 	struct i2c_hid *ihid = i2c_get_clientdata(client);
+	size_t rcount;
 	int ret;
 
 	if (report_type == HID_OUTPUT_REPORT)
 		return -EINVAL;
 
-	if (count > ihid->bufsize)
-		count = ihid->bufsize;
+	if (count > ihid->bufsize - 2)
+		count = ihid->bufsize - 2;
 
 	ret = i2c_hid_get_report(client,
 			report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,
@@ -518,7 +519,13 @@ static int i2c_hid_get_raw_report(struct hid_device *hid,
 	if (ret < 0)
 		return ret;
 
-	count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
+	rcount = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
+
+	if (!rcount)
+		return 0;
+
+	if (count > rcount - 2)
+		count = rcount - 2;
 
 	memcpy(buf, ihid->inbuf + 2, count);
 
-- 
1.8.0.1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help