Re: [PATCH] HID: i2c-hid: prevent buffer overflow in early IRQ

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Dec 11 2014 or thereabouts, Gwendal Grignou wrote:
> Before ->start() is called, bufsize size is set to HID_MIN_BUFFER_SIZE,
> 64 bytes. While processing the IRQ, we were asking to receive up to
> wMaxInputLength bytes, which can be bigger than 64 bytes.
> 
> Later, when ->start is run, a proper bufsize will be calculated.
> 
> Given wMaxInputLength is said to be unreliable in other part of the
> code, set to receive only what we can even if it results in truncated
> reports.
> 
> Signed-off-by: Gwendal Grignou <gwendal@xxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> ---

Yep, well spotted. Makes sense to me.

Reviewed-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>

Cheers,
Benjamin

>  drivers/hid/i2c-hid/i2c-hid.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> index 226375e..d32037c 100644
> --- a/drivers/hid/i2c-hid/i2c-hid.c
> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> @@ -370,7 +370,7 @@ static int i2c_hid_hwreset(struct i2c_client *client)
>  static void i2c_hid_get_input(struct i2c_hid *ihid)
>  {
>  	int ret, ret_size;
> -	int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
> +	int size = ihid->bufsize;
>  
>  	ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
>  	if (ret != size) {
> -- 
> 2.2.0.rc0.207.ga3a616c
> 
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]