| Message ID | alpine.LNX.2.00.1408270912310.2992@pobox.suse.cz (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Jiri Kosina |
| Headers | show |
On Wed, 27 Aug 2014 09:13:15 +0200 (CEST) Jiri Kosina wrote: > The report passed to us from transport driver could potentially be > arbitrarily large, therefore we better sanity-check it so that raw_data > that we hold in picolcd_pending structure are always kept within proper > bounds. > > Cc: stable@vger.kernel.org > Reported-by: Steven Vittitoe <scvitti@google.com> > Signed-off-by: Jiri Kosina <jkosina@suse.cz> Acked-by: Bruno Prémont <bonbons@linux-vserver.org> > --- > drivers/hid/hid-picolcd_core.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c > index acbb0210..020df3c 100644 > --- a/drivers/hid/hid-picolcd_core.c > +++ b/drivers/hid/hid-picolcd_core.c > @@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev, > if (!data) > return 1; > > + if (size > 64) { > + hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n", > + size); Is it worth adding report->id to this hid_warn()? A valid device is not expected to ever send >64 bytes reports but in case a firmware update would do so it would help to know for which report it was. > + return 0; > + } > + > if (report->id == REPORT_KEY_STATE) { > if (data->input_keys) > ret = picolcd_raw_keypad(data, report, raw_data+1, size-1); -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 27 Aug 2014, Bruno Prémont wrote: > > The report passed to us from transport driver could potentially be > > arbitrarily large, therefore we better sanity-check it so that raw_data > > that we hold in picolcd_pending structure are always kept within proper > > bounds. > > > > Cc: stable@vger.kernel.org > > Reported-by: Steven Vittitoe <scvitti@google.com> > > Signed-off-by: Jiri Kosina <jkosina@suse.cz> > > Acked-by: Bruno Prémont <bonbons@linux-vserver.org> Thanks. > > --- > > drivers/hid/hid-picolcd_core.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c > > index acbb0210..020df3c 100644 > > --- a/drivers/hid/hid-picolcd_core.c > > +++ b/drivers/hid/hid-picolcd_core.c > > @@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev, > > if (!data) > > return 1; > > > > + if (size > 64) { > > + hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n", > > + size); > > Is it worth adding report->id to this hid_warn()? > > A valid device is not expected to ever send >64 bytes reports but in > case a firmware update would do so it would help to know for which > report it was. It definitely wouldn't hurt. Pull request with the original patch is now on its way to Linus though, so let's do this as a followup patch on top once this is merged.
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c index acbb0210..020df3c 100644 --- a/drivers/hid/hid-picolcd_core.c +++ b/drivers/hid/hid-picolcd_core.c @@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev, if (!data) return 1; + if (size > 64) { + hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n", + size); + return 0; + } + if (report->id == REPORT_KEY_STATE) { if (data->input_keys) ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> --- drivers/hid/hid-picolcd_core.c | 6 ++++++ 1 file changed, 6 insertions(+)