Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e5b50fe7 authored by Benjamin Tissoires's avatar Benjamin Tissoires Committed by Jiri Kosina
Browse files

HID: i2c-hid: fix i2c_hid_get_raw_report count mismatches 



The previous memcpy implementation relied on the size advertized by the
device. There were no guarantees that buf was big enough.

Some gymnastic is also required with the +2/-2 to take into account
the first 2 bytes of the returned buffer where the total returned
length is supplied by the device.

Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 8a1bbb53

drivers/hid/i2c-hid/i2c-hid.c

+12 −4
Original line number Original line Diff line number Diff line
@@ -502,23 +502,31 @@ static int i2c_hid_get_raw_report(struct hid_device *hid, 
{

{

	struct i2c_client *client = hid->driver_data;

	struct i2c_client *client = hid->driver_data;

	struct i2c_hid *ihid = i2c_get_clientdata(client);

	struct i2c_hid *ihid = i2c_get_clientdata(client);

	size_t ret_count, ask_count;

	int ret;

	int ret;





	if (report_type == HID_OUTPUT_REPORT)

	if (report_type == HID_OUTPUT_REPORT)

		return -EINVAL;

		return -EINVAL;





	if (count > ihid->bufsize)

	/* +2 bytes to include the size of the reply in the query buffer */

		count = ihid->bufsize;

	ask_count = min(count + 2, (size_t)ihid->bufsize);





	ret = i2c_hid_get_report(client,

	ret = i2c_hid_get_report(client,

			report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,

			report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,

			report_number, ihid->inbuf, count);

			report_number, ihid->inbuf, ask_count);





	if (ret < 0)

	if (ret < 0)

		return ret;

		return ret;





	count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);

	ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);





	if (!ret_count)

		return 0;



	ret_count = min(ret_count, ask_count);



	/* The query buffer contains the size, dropping it in the reply */

	count = min(count, ret_count - 2);

	memcpy(buf, ihid->inbuf + 2, count);

	memcpy(buf, ihid->inbuf + 2, count);





	return count;

	return count;