On Thu, 28 Sep 2017, Jaejoong Kim wrote: > The hid descriptor identifies the length and type of subordinate > descriptors for a device. If the received hid descriptor is smaller than > the size of the struct hid_descriptor, it is possible to cause > out-of-bounds. > > In addition, if bNumDescriptors of the hid descriptor have an incorrect > value, this can also cause out-of-bounds while approaching hdesc->desc[n]. > > So check the size of hid descriptor and bNumDescriptors. Applied to for-4.14/upstream-fixes. Thanks, -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
