Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 46f9006e authored by Aaron Ma's avatar Aaron Ma Committed by Greg Kroah-Hartman
Browse files

HID: i2c-hid: fix size check and type usage 



commit ac75a041048b8c1f7418e27621ca5efda8571043 upstream.

When convert char array with signed int, if the inbuf[x] is negative then
upper bits will be set to 1. Fix this by using u8 instead of char.

ret_size has to be at least 3, hid_input_report use it after minus 2 bytes.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent d0e3d32b

drivers/hid/i2c-hid/i2c-hid.c

+7 −6
Original line number Original line Diff line number Diff line
@@ -136,10 +136,10 @@ struct i2c_hid { 
						   * register of the HID

						   * register of the HID

						   * descriptor. */

						   * descriptor. */

	unsigned int		bufsize;	/* i2c buffer size */

	unsigned int		bufsize;	/* i2c buffer size */

	char			*inbuf;		/* Input buffer */

	u8			*inbuf;		/* Input buffer */

	char			*rawbuf;	/* Raw Input buffer */

	u8			*rawbuf;	/* Raw Input buffer */

	char			*cmdbuf;	/* Command buffer */

	u8			*cmdbuf;	/* Command buffer */

	char			*argsbuf;	/* Command arguments buffer */

	u8			*argsbuf;	/* Command arguments buffer */





	unsigned long		flags;		/* device flags */

	unsigned long		flags;		/* device flags */
@@ -373,7 +373,8 @@ static int i2c_hid_hwreset(struct i2c_client *client) 




static void i2c_hid_get_input(struct i2c_hid *ihid)

static void i2c_hid_get_input(struct i2c_hid *ihid)

{

{

	int ret, ret_size;

	int ret;

	u32 ret_size;

	int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);

	int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);





	if (size > ihid->bufsize)

	if (size > ihid->bufsize)
@@ -398,7 +399,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) 
		return;

		return;

	}

	}





	if (ret_size > size) {

	if ((ret_size > size) || (ret_size <= 2)) {

		dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",

		dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",

			__func__, size, ret_size);

			__func__, size, ret_size);

		return;

		return;