lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

HID: logitech-dj: check report length

Browse Source 
Malicious USB devices can send bogus reports smaller than the expected
buffer size. Ensure that the length is valid to avoid reading out of
bounds.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This commit is contained in:
Peter Wu
2014-12-16 16:55:21 +01:00
committed by Jiri Kosina
parent 0349678ccd
commit f254ae938e
1 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
drivers/hid/hid-logitech-dj.c
View File

@@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev,
switch (data[0]) { switch (data[0]) {
case REPORT_ID_DJ_SHORT: case REPORT_ID_DJ_SHORT:
if (size != DJREPORT_SHORT_LENGTH) {
dev_err(&hdev->dev, "DJ report of bad size (%d)", size);
return false;
}
return logi_dj_dj_event(hdev, report, data, size); return logi_dj_dj_event(hdev, report, data, size);
case REPORT_ID_HIDPP_SHORT: case REPORT_ID_HIDPP_SHORT:
/* intentional fallthrough */ if (size != HIDPP_REPORT_SHORT_LENGTH) {
dev_err(&hdev->dev,
"Short HID++ report of bad size (%d)", size);
return false;
}
return logi_dj_hidpp_event(hdev, report, data, size);
case REPORT_ID_HIDPP_LONG: case REPORT_ID_HIDPP_LONG:
if (size != HIDPP_REPORT_LONG_LENGTH) {
dev_err(&hdev->dev,
"Long HID++ report of bad size (%d)", size);
return false;
}
return logi_dj_hidpp_event(hdev, report, data, size); return logi_dj_hidpp_event(hdev, report, data, size);
} }