[PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback
From: Jiri Kosina <hidden>
Date: 2014-08-27 07:13:19
Also in:
lkml
Subsystem:
hid core layer, picolcd hid driver, the rest · Maintainers:
Jiri Kosina, Benjamin Tissoires, Bruno Prémont, Linus Torvalds
The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <redacted> Signed-off-by: Jiri Kosina <redacted> --- drivers/hid/hid-picolcd_core.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index acbb0210..020df3c 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev, if (!data) return 1; + if (size > 64) { + hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n", + size); + return 0; + } + if (report->id == REPORT_KEY_STATE) { if (data->input_keys) ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
--
1.9.2