Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f254ae93 authored by Peter Wu's avatar Peter Wu Committed by Jiri Kosina
Browse files

HID: logitech-dj: check report length 



Malicious USB devices can send bogus reports smaller than the expected
buffer size. Ensure that the length is valid to avoid reading out of
bounds.

Signed-off-by: default avatarPeter Wu <peter@lekensteyn.nl>
Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 0349678c

drivers/hid/hid-logitech-dj.c

+15 −1
Original line number Diff line number Diff line
@@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev, 


	switch (data[0]) {

	case REPORT_ID_DJ_SHORT:

		if (size != DJREPORT_SHORT_LENGTH) {

			dev_err(&hdev->dev, "DJ report of bad size (%d)", size);

			return false;

		}

		return logi_dj_dj_event(hdev, report, data, size);

	case REPORT_ID_HIDPP_SHORT:

		/* intentional fallthrough */

		if (size != HIDPP_REPORT_SHORT_LENGTH) {

			dev_err(&hdev->dev,

				"Short HID++ report of bad size (%d)", size);

			return false;

		}

		return logi_dj_hidpp_event(hdev, report, data, size);

	case REPORT_ID_HIDPP_LONG:

		if (size != HIDPP_REPORT_LONG_LENGTH) {

			dev_err(&hdev->dev,

				"Long HID++ report of bad size (%d)", size);

			return false;

		}

		return logi_dj_hidpp_event(hdev, report, data, size);

	}