From patchwork Tue Dec 16 15:55:22 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Wu X-Patchwork-Id: 5501311 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 3A0DBBEEA8 for ; Tue, 16 Dec 2014 15:55:42 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6E56420A23 for ; Tue, 16 Dec 2014 15:55:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F26DD20A22 for ; Tue, 16 Dec 2014 15:55:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751030AbaLPPzj (ORCPT ); Tue, 16 Dec 2014 10:55:39 -0500 Received: from lekensteyn.nl ([178.21.112.251]:59917 "EHLO lekensteyn.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750979AbaLPPzi (ORCPT ); Tue, 16 Dec 2014 10:55:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lekensteyn.nl; s=s2048-2014-q3; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=BBWgMmnqcuLIhh57kvtjtjn5NO80x7p7wu2DVQgQ63U=; b=cWhWr+E+6clkbB/QlJ1i78LLOQ0mUJL5kSse+dG9umX5T2jJ/4qFBM3GBXJM9kWTrrbX6LZXQ7P/CugReRALPohKqH6AVtwgRkCA1HwyhAI/xo0nzW6uPq+LADkKsaK7f/AT2VDF8CSpczcvpjsaKl44hERVf77IgYcS1aKWnP7ASdMhiTaPWee9UtYuRgrAPE8u7IndqcibGjrduRlnJygGfIetPzf9J98yW6b7/6fH2kORNmSs2dDYJGXyJkzEf2OnEwHFZ8PWzcTFadYMYYr9yoAlVkNW5piWM4eHJoqnh/l+CixZrdlxnW+gBW8T4YbQzn0THb+30ASwM2GGnQ==; Received: by lekensteyn.nl with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA256:128) (Exim 4.80) (envelope-from ) id 1Y0uTE-0001Bu-OQ; Tue, 16 Dec 2014 16:55:32 +0100 From: Peter Wu To: Jiri Kosina , Benjamin Tissoires Cc: Nestor Lopez Casado , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/3] HID: logitech-hidpp: check WTP report length Date: Tue, 16 Dec 2014 16:55:22 +0100 Message-Id: <1418745323-17133-2-git-send-email-peter@lekensteyn.nl> X-Mailer: git-send-email 2.1.3 In-Reply-To: <1418745323-17133-1-git-send-email-peter@lekensteyn.nl> References: <1418745323-17133-1-git-send-email-peter@lekensteyn.nl> X-Spam-Score: 0.0 (/) X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Malicious USB devices can send bogus reports smaller than the expected buffer size. Ensure that the length for WTP reports is valid to avoid reading out of bounds. Signed-off-by: Peter Wu Reviewed-by: Benjamin Tissoires --- v1: patch 2/3 HID: logitech-{dj,hidpp}: check report length v2: splitted original report length check patch --- drivers/hid/hid-logitech-hidpp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index b32f751..2f1b0ac 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -805,6 +805,11 @@ static int wtp_raw_event(struct hid_device *hdev, u8 *data, int size) switch (data[0]) { case 0x02: + if (size < 2) { + hid_err(hdev, "Received HID report of bad size (%d)", + size); + return 1; + } if (hidpp->quirks & HIDPP_QUIRK_WTP_PHYSICAL_BUTTONS) { input_event(wd->input, EV_KEY, BTN_LEFT, !!(data[1] & 0x01)); @@ -818,6 +823,7 @@ static int wtp_raw_event(struct hid_device *hdev, u8 *data, int size) return wtp_mouse_raw_xy_event(hidpp, &data[7]); } case REPORT_ID_HIDPP_LONG: + /* size is already checked in hidpp_raw_event. */ if ((report->fap.feature_index != wd->mt_feature_index) || (report->fap.funcindex_clientid != EVENT_TOUCHPAD_RAW_XY)) return 1;