diff options
author | Peter Wu <peter@lekensteyn.nl> | 2014-12-16 16:55:21 +0100 |
---|---|---|
committer | Jiri Kosina <jkosina@suse.cz> | 2014-12-17 08:50:12 +0100 |
commit | f254ae938ea479739572790a4e9b0ca86d16249f (patch) | |
tree | ba6bc66d182876f716c6cfe9a4f8a1e9a0202add /drivers/hid | |
parent | 0349678ccd74d16c1f2bb58ecafec13ef7110e36 (diff) | |
download | op-kernel-dev-f254ae938ea479739572790a4e9b0ca86d16249f.zip op-kernel-dev-f254ae938ea479739572790a4e9b0ca86d16249f.tar.gz |
HID: logitech-dj: check report length
Malicious USB devices can send bogus reports smaller than the expected
buffer size. Ensure that the length is valid to avoid reading out of
bounds.
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers/hid')
-rw-r--r-- | drivers/hid/hid-logitech-dj.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c index c917ab6..5bc6d80 100644 --- a/drivers/hid/hid-logitech-dj.c +++ b/drivers/hid/hid-logitech-dj.c @@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev, switch (data[0]) { case REPORT_ID_DJ_SHORT: + if (size != DJREPORT_SHORT_LENGTH) { + dev_err(&hdev->dev, "DJ report of bad size (%d)", size); + return false; + } return logi_dj_dj_event(hdev, report, data, size); case REPORT_ID_HIDPP_SHORT: - /* intentional fallthrough */ + if (size != HIDPP_REPORT_SHORT_LENGTH) { + dev_err(&hdev->dev, + "Short HID++ report of bad size (%d)", size); + return false; + } + return logi_dj_hidpp_event(hdev, report, data, size); case REPORT_ID_HIDPP_LONG: + if (size != HIDPP_REPORT_LONG_LENGTH) { + dev_err(&hdev->dev, + "Long HID++ report of bad size (%d)", size); + return false; + } return logi_dj_hidpp_event(hdev, report, data, size); } |