2012/4/20 Anderson Lizardo <anderson.lizardo@xxxxxxxxxxxxx>: > Hi João, > > 2012/4/18 João Paulo Rechi Vita <jprvita@xxxxxxxxxxxxx>: >> --- >> input/hog_device.c | 21 +++++++++++++++++++++ >> 1 files changed, 21 insertions(+), 0 deletions(-) >> >> diff --git a/input/hog_device.c b/input/hog_device.c >> index ac6d4c9..5df6879 100644 >> --- a/input/hog_device.c >> +++ b/input/hog_device.c >> @@ -71,9 +71,27 @@ static void report_free(struct report *report) >> g_free(report); >> } >> >> +static void report_value_cb(const uint8_t *pdu, uint16_t len, gpointer user_data) >> +{ >> + uint16_t handle; >> + >> + if (len < 3) { > > I suppose the check should be (len < 10) here ? Otherwise the DBG() > call will read invalid data. > >> + error("Malformed ATT notification"); >> + return; >> + } >> + >> + handle = att_get_u16(&pdu[1]); >> + >> + DBG("Report(0x%04x): 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x " >> + "0x%02x", handle, pdu[2], pdu[3], pdu[4], >> + pdu[5], pdu[6], pdu[7], pdu[8], pdu[9]); > > This DBG() seems strange. If handle starts at (pdu + 1) and has two > octets, the remaining bytes should start at (pdu + 3). > The right thing to do here is to keep the initial check for len < 3 (1-byte opcode + 2-byte handle) and remove this debug entirely. It was helpful during development, but normally we won't want one debug message for every input event, even in debug mode. -- João Paulo Rechi Vita Openbossa Labs - INdT -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html