Hi Aaron,
On Wed, Jan 03, 2018 at 01:30:05AM +0800, Aaron Ma wrote:
> When convert char array with signed int, if the inbuf[x] is negative then
> upper bits will be set to 1. Fix this by using u8 instead of char.
>
> ret_size has to be at least 3, hid_input_report use it after minus 2 bytes.
At least 2?
hid_input_report() checks (!size)
>
> size should be more than 0 to keep memset safe.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Aaron Ma <aaron.ma@xxxxxxxxxxxxx>
> ---
> drivers/hid/hid-core.c | 4 ++--
> drivers/hid/i2c-hid/i2c-hid.c | 10 +++++-----
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 0c3f608131cf..992547771d96 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -1506,7 +1506,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
> if (rsize > HID_MAX_BUFFER_SIZE)
> rsize = HID_MAX_BUFFER_SIZE;
>
> - if (csize < rsize) {
> + if ((csize < rsize) && (csize > 0)) {
> dbg_hid("report %d is too short, (%d < %d)\n", report->id,
> csize, rsize);
> memset(cdata + csize, 0, rsize - csize);
> @@ -1566,7 +1566,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int i
> report_enum = hid->report_enum + type;
> hdrv = hid->driver;
>
> - if (!size) {
> + if (size <= 0) {
All code that is using hid_input_report() seems to check that no
negative size is provided.
If we want this check, maybe we should consider making size unsigned
instead?
> dbg_hid("empty report\n");
> ret = -1;
> goto unlock;
> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> index e054ee43c1e2..09404ffdb08b 100644
> --- a/drivers/hid/i2c-hid/i2c-hid.c
> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> @@ -144,10 +144,10 @@ struct i2c_hid {
> * register of the HID
> * descriptor. */
> unsigned int bufsize; /* i2c buffer size */
> - char *inbuf; /* Input buffer */
> - char *rawbuf; /* Raw Input buffer */
> - char *cmdbuf; /* Command buffer */
> - char *argsbuf; /* Command arguments buffer */
> + u8 *inbuf; /* Input buffer */
> + u8 *rawbuf; /* Raw Input buffer */
> + u8 *cmdbuf; /* Command buffer */
> + u8 *argsbuf; /* Command arguments buffer */
Looks good
>
> unsigned long flags; /* device flags */
> unsigned long quirks; /* Various quirks */
> @@ -473,7 +473,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
>
> ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8;
>
> - if (!ret_size) {
> + if (ret_size <= 2) {
if (ret_size < 2) ?
> /* host or device initiated RESET completed */
> if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags))
> wake_up(&ihid->wait);
> --
> 2.14.3
Best regards
Marcus Folkesson
Attachment:
signature.asc
Description: PGP signature
