Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d3065cc5 authored by Pietro Borrello's avatar Pietro Borrello Committed by Greg Kroah-Hartman
Browse files

HID: betop: check shape of output reports 



[ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ]

betopff_init() only checks the total sum of the report counts for each
report field to be at least 4, but hid_betopff_play() expects 4 report
fields.
A device advertising an output report with one field and 4 report counts
would pass the check but crash the kernel with a NULL pointer dereference
in hid_betopff_play().

Fixes: 52cd7785 ("HID: betop: add drivers/hid/hid-betopff.c")
Signed-off-by: default avatarPietro Borrello <borrello@diag.uniroma1.it>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent d16b83c8

drivers/hid/hid-betopff.c

+9 −8
Original line number Diff line number Diff line
@@ -60,7 +60,6 @@ static int betopff_init(struct hid_device *hid) 
	struct list_head *report_list =

			&hid->report_enum[HID_OUTPUT_REPORT].report_list;

	struct input_dev *dev;

	int field_count = 0;

	int error;

	int i, j;
@@ -86,19 +85,21 @@ static int betopff_init(struct hid_device *hid) 
	 * -----------------------------------------

	 * Do init them with default value.

	 */

	if (report->maxfield < 4) {

		hid_err(hid, "not enough fields in the report: %d\n",

				report->maxfield);

		return -ENODEV;

	}

	for (i = 0; i < report->maxfield; i++) {

		if (report->field[i]->report_count < 1) {

			hid_err(hid, "no values in the field\n");

			return -ENODEV;

		}

		for (j = 0; j < report->field[i]->report_count; j++) {

			report->field[i]->value[j] = 0x00;

			field_count++;

		}

	}



	if (field_count < 4) {

		hid_err(hid, "not enough fields in the report: %d\n",

				field_count);

		return -ENODEV;

	}



	betopff = kzalloc(sizeof(*betopff), GFP_KERNEL);

	if (!betopff)

		return -ENOMEM;