Hello,
I'm using a particular multi touch screen module, which is the
TP 72055 from Data Modul. They have tested it only for Win7.
Using it I have found a crash in hid_report_raw_event() on kernel
2.6.37, but I believe is there also in latest one.
Debugging the issue it seems that it is caused by the fact that
TP72055 module issues a hid report with a size equals to 0. The rsize
value gets
set to 536870912 and Linux is crashing in the memset because the
value is too big.
I think a proper checking on rsize must be made to avoid cases like that.
I'm attaching the simple patch I made.
Pls let me know if the fix makes sense or not.
THx,
Arm
>From 4e3af7356b4973f8733669ba4c201e61b36e998a Mon Sep 17 00:00:00 2001
From: Armando Visconti <armando.visconti@xxxxxx>
Date: Tue, 26 Apr 2011 17:07:54 +0200
Subject: [PATCH] HID: Fixed a crash in hid_report_raw_event() function.
I'm using a Data Modul EasyTouch USB multitouch controller, which is
issuing a hid report with a size equals to 0. The rsize value gets
set to 536870912 and Linux is crashing in the memset because the
value is too big.
Signed-off-by: Armando Visconti <armando.visconti@xxxxxx>
---
drivers/hid/hid-core.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index b144b38..c5efca3 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1024,6 +1024,9 @@ void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
rsize = ((report->size - 1) >> 3) + 1;
+ if (rsize > HID_MAX_BUFFER_SIZE)
+ rsize = HID_MAX_BUFFER_SIZE;
+
if (csize < rsize) {
dbg_hid("report %d is too short, (%d < %d)\n", report->id,
csize, rsize);
--
1.7.4
