Re: [PATCH 14/14] HID: core: check parameters when sending/receiving data from the device

David Herrmann <dh.herrmann@xxxxxxxxx> · Wed, 12 Feb 2014 11:51:22 +0100



Hi

On Mon, Feb 10, 2014 at 6:58 PM, Benjamin Tissoires
<benjamin.tissoires@xxxxxxxxxx> wrote:
> It is better to check them soon enough before triggering any kernel panic.

Reviewed-by: David Herrmann <dh.herrmann@xxxxxxxxx>

Thanks
David

> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>
> ---
>  drivers/hid/i2c-hid/i2c-hid.c | 2 +-
>  include/linux/hid.h           | 6 ++++++
>  2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> index d3b8d7a..b50860d 100644
> --- a/drivers/hid/i2c-hid/i2c-hid.c
> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> @@ -277,7 +277,7 @@ static int i2c_hid_set_or_send_report(struct i2c_client *client, u8 reportType,
>         u16 outputRegister = le16_to_cpu(ihid->hdesc.wOutputRegister);
>         u16 maxOutputLength = le16_to_cpu(ihid->hdesc.wMaxOutputLength);
>
> -       /* hidraw already checked that data_len < HID_MAX_BUFFER_SIZE */
> +       /* hid_hw_* already checked that data_len < HID_MAX_BUFFER_SIZE */
>         u16 size =      2                       /* size */ +
>                         (reportID ? 1 : 0)      /* reportID */ +
>                         data_len                /* buf */;
> diff --git a/include/linux/hid.h b/include/linux/hid.h
> index fa07639..f801506 100644
> --- a/include/linux/hid.h
> +++ b/include/linux/hid.h
> @@ -986,6 +986,9 @@ static inline int hid_hw_raw_request(struct hid_device *hdev,
>                                   unsigned char reportnum, __u8 *buf,
>                                   size_t len, unsigned char rtype, int reqtype)
>  {
> +       if (len < 1 || len > HID_MAX_BUFFER_SIZE || !buf)
> +               return -EINVAL;
> +
>         if (hdev->ll_driver->raw_request)
>                 return hdev->ll_driver->raw_request(hdev, reportnum, buf, len,
>                                                     rtype, reqtype);
> @@ -1005,6 +1008,9 @@ static inline int hid_hw_raw_request(struct hid_device *hdev,
>  static inline int hid_hw_output_report(struct hid_device *hdev, __u8 *buf,
>                                         size_t len)
>  {
> +       if (len < 1 || len > HID_MAX_BUFFER_SIZE || !buf)
> +               return -EINVAL;
> +
>         if (hdev->ll_driver->output_report)
>                 return hdev->ll_driver->output_report(hdev, buf, len);
>
> --
> 1.8.3.1
>
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html