On Tue, Dec 4, 2012 at 10:42 PM, Jean Delvare [off-list ref] wrote:

On Tue,  4 Dec 2012 16:27:43 +0100, Benjamin Tissoires wrote:

quoted

HID descriptors contains 4 bytes of reserved field.
The previous implementation was overriding the next fields in struct i2c_hid.

Signed-off-by: Benjamin Tissoires <redacted>
---
 drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 0fbb229..ad771a7 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c

@@ -68,6 +68,7 @@ struct i2c_hid_desc {
      __le16 wVendorID;
      __le16 wProductID;
      __le16 wVersionID;
+     __le32 reserved;
 } __packed;

 struct i2c_hid_cmd {

@@ -778,7 +779,7 @@ static int __devinit i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid)
      }

      dsize = le16_to_cpu(hdesc->wHIDDescLength);
-     if (!dsize || dsize > HID_MAX_DESCRIPTOR_SIZE) {
+     if (!dsize || dsize > sizeof(struct i2c_hid_desc)) {

Shouldn't !dsize rather be dsize < 4? You're reading hdesc->bcdVersion,
which is only defined if dsize >= 4 if I understand the code correctly.

Yes, you are right. Thanks.

Jiri, this patch is a prerequisite for "[PATCH 10/14] HID: i2c-hid:
reorder allocation/free of buffers".
could you please what for a v2 before applying 10/14?

Cheers,
Benjamin

quoted

              dev_err(&client->dev, "weird size of HID descriptor (%u)\n",
                      dsize);
              return -ENODEV;

--
Jean Delvare