Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8320caee authored by Adrian Salido's avatar Adrian Salido Committed by Jiri Kosina
Browse files

HID: i2c-hid: allocate hid buffers for real worst case 



The buffer allocation is not currently accounting for an extra byte for
the report id. This can cause an out of bounds access in function
i2c_hid_set_or_send_report() with reportID > 15.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarAdrian Salido <salidoa@google.com>
Reviewed-by: default avatarBenson Leung <bleung@chromium.org>
Signed-off-by: default avatarGuenter Roeck <groeck@chromium.org>
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent cac72b99

drivers/hid/i2c-hid/i2c-hid.c

+2 −1
Original line number Original line Diff line number Diff line
@@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size) 
{

{

	/* the worst case is computed from the set_report command with a

	/* the worst case is computed from the set_report command with a

	 * reportID > 15 and the maximum report length */

	 * reportID > 15 and the maximum report length */

	int args_len = sizeof(__u8) + /* optional ReportID byte */

	int args_len = sizeof(__u8) + /* ReportID */

		       sizeof(__u8) + /* optional ReportID byte */

		       sizeof(__u16) + /* data register */

		       sizeof(__u16) + /* data register */

		       sizeof(__u16) + /* size of the report */

		       sizeof(__u16) + /* size of the report */

		       report_size; /* report */

		       report_size; /* report */