Re: [PATCH 2/2] HID: picolcd: sanity check report size in raw_event() callback
From: Bruno Prémont <bonbons@linux-vserver.org>
Date: 2014-08-27 08:13:18
Also in:
lkml
On Wed, 27 Aug 2014 09:13:15 +0200 (CEST) Jiri Kosina wrote:
The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <redacted> Signed-off-by: Jiri Kosina <redacted>
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
quoted hunk ↗ jump to hunk
--- drivers/hid/hid-picolcd_core.c | 6 ++++++ 1 file changed, 6 insertions(+)diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c index acbb0210..020df3c 100644 --- a/drivers/hid/hid-picolcd_core.c +++ b/drivers/hid/hid-picolcd_core.c@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev, if (!data) return 1; + if (size > 64) { + hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n", + size);
Is it worth adding report->id to this hid_warn()? A valid device is not expected to ever send >64 bytes reports but in case a firmware update would do so it would help to know for which report it was.
+ return 0;
+ }
+
if (report->id == REPORT_KEY_STATE) {
if (data->input_keys)
ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);