Hi Dan, On Tue, Mar 5, 2013 at 2:06 PM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > We can't trust dj_report->device_index because it comes from the > user and hasn't been range checked. It is used as an offset into > the djrcv_dev->paired_dj_devices[] array which has 7 elements. > There is one range check already in logi_dj_recv_add_djhid_device() > and I have copy and pasted that here. > > DJ_DEVICE_INDEX_MIN is 1. > DJ_DEVICE_INDEX_MAX is 6. > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > --- > This is a static checker fix and I'm not certain it's correct, > please look it over carefully. > > I do not know this code well, so I don't know why a zero index is > invalid. > > diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c > index 9500f2f..c01cd25 100644 > --- a/drivers/hid/hid-logitech-dj.c > +++ b/drivers/hid/hid-logitech-dj.c > @@ -701,6 +701,13 @@ static int logi_dj_raw_event(struct hid_device *hdev, > * anything else with it. > */ > > + if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || > + (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { > + dev_err(&hdev->dev, "%s: invalid device index:%d\n", __func__, > + dj_report->device_index); > + return true; > + } > + Sorry, but it's a NACK in its current form: - device_index == 0 is the receiver. IIRC, the receiver sends the different REPORT_TYPE_NOTIF_*. So I would say that this patch blocks events from the receiver. - the DJ protocol specifies that the device index is between 1 and 6 and that 0 means the receiver. So unless there is a problem in the USB line from the receiver to the driver, device index will be between 1 and 6 for input events. This is only true as long as with stay with real firmware from Logitech, not from events from uhid. If you want to add a check, it need to be in logi_dj_recv_forward_report(). The current access to djrcv_dev->paired_dj_devices[] in delayedwork_callback() has been removed in latest HID tree: https://git.kernel.org/cgit/linux/kernel/git/jikos/hid.git/log/?h=for-3.10/logitech Cheers, Benjamin > spin_lock_irqsave(&djrcv_dev->lock, flags); > if (dj_report->report_id == REPORT_ID_DJ_SHORT) { > switch (dj_report->report_type) { > -- > To unsubscribe from this list: send the line "unsubscribe linux-input" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html