From patchwork Tue Dec 16 15:55:21 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Wu X-Patchwork-Id: 5501351 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id E8A449F1D4 for ; Tue, 16 Dec 2014 15:56:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 34CBD20A23 for ; Tue, 16 Dec 2014 15:56:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 57E1F20A22 for ; Tue, 16 Dec 2014 15:56:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751366AbaLPPz5 (ORCPT ); Tue, 16 Dec 2014 10:55:57 -0500 Received: from lekensteyn.nl ([178.21.112.251]:57013 "EHLO lekensteyn.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751197AbaLPPzk (ORCPT ); Tue, 16 Dec 2014 10:55:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lekensteyn.nl; s=s2048-2014-q3; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=SbX27EsTgd8PUwikl9vQQtCzdJeASaCaugxbnZPKpU4=; b=PyFrHo7R/S/jPHWSuZOpe9ulyDkvYZ9OfvfY0Od00TzIjNwiXeouALT7glcvYCRJKqa+BOy6D2rpD1w/XHto6pP6H59UOlwP4JDU7XZNI+vGITo3TbnYVUOolF4SepDgBkjerwWCjMHLb8bEMiiZYjog7FQ9dTs9IYVVj0dNrD7e7RIXLKRUmgro8QP9oBotAabiztI/L9j6aUgyaefFexK2UKTv4Udua65Hd5BBYmFb7tL7Fu1v+oHOC3e6aBNsAiaV6ppTz4Wf4O47ARdweEBZaDOza2t1fVQudNUGkh7dFspjTvlyAPuPQRKUr4DDajvdbpKxLH1HaldTJDWAxA==; Received: by lekensteyn.nl with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA256:128) (Exim 4.80) (envelope-from ) id 1Y0uTE-0001Bu-4n; Tue, 16 Dec 2014 16:55:32 +0100 From: Peter Wu To: Jiri Kosina , Benjamin Tissoires Cc: Nestor Lopez Casado , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/3] HID: logitech-dj: check report length Date: Tue, 16 Dec 2014 16:55:21 +0100 Message-Id: <1418745323-17133-1-git-send-email-peter@lekensteyn.nl> X-Mailer: git-send-email 2.1.3 In-Reply-To: References: X-Spam-Score: 0.0 (/) X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Malicious USB devices can send bogus reports smaller than the expected buffer size. Ensure that the length is valid to avoid reading out of bounds. Signed-off-by: Peter Wu Reviewed-by: Benjamin Tissoires --- v1: patch 2/3 HID: logitech-{dj,hidpp}: check report length v2: splitted original report length check patch --- drivers/hid/hid-logitech-dj.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c index c917ab6..5bc6d80 100644 --- a/drivers/hid/hid-logitech-dj.c +++ b/drivers/hid/hid-logitech-dj.c @@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev, switch (data[0]) { case REPORT_ID_DJ_SHORT: + if (size != DJREPORT_SHORT_LENGTH) { + dev_err(&hdev->dev, "DJ report of bad size (%d)", size); + return false; + } return logi_dj_dj_event(hdev, report, data, size); case REPORT_ID_HIDPP_SHORT: - /* intentional fallthrough */ + if (size != HIDPP_REPORT_SHORT_LENGTH) { + dev_err(&hdev->dev, + "Short HID++ report of bad size (%d)", size); + return false; + } + return logi_dj_hidpp_event(hdev, report, data, size); case REPORT_ID_HIDPP_LONG: + if (size != HIDPP_REPORT_LONG_LENGTH) { + dev_err(&hdev->dev, + "Long HID++ report of bad size (%d)", size); + return false; + } return logi_dj_hidpp_event(hdev, report, data, size); }