On Fri, 20 Aug 2021, Alan Stern wrote: > > syzbot has tested the proposed patch and the reproducer did not trigger any issue: > > That's good to know. Still, I suspect there's a better way of handling > this condition. > > In particular, does it make sense to accept descriptors for input or > feature reports with length zero? I can't imagine what good such > reports would do. I quickly went through drivers + some hidraw users, and can't spot any use case for it. > On the other hand, I'm not familiar enough with the code to know the > right way to reject these descriptors and reports. It looks like the > HID subsystem was not designed with this sort of check in mind. > > Benjamin and Jiri, what do you think? Is it okay to allow descriptors > for zero-length reports and just pretend they have length 1 (as the > patch tested by syzbot did), or should we instead reject them during > probing? I think it's a good band-aid for 5.14 (or 5.14-stable if we don't make it), and if it turns out to break something (which I don't expect), than we can look into rejecting already during probe. Benjamin, is there a way to run this quickly through your HID regression testing machinery? Thanks, -- Jiri Kosina SUSE Labs