Commit 58b5a523 authored by Adrian Salido's avatar Adrian Salido Committed by Thadeu Lima de Souza Cascardo

HID: i2c-hid: allocate hid buffers for real worst case

BugLink: http://bugs.launchpad.net/bugs/1724783

commit 8320caee upstream.

The buffer allocation is not currently accounting for an extra byte for
the report id. This can cause an out of bounds access in function
i2c_hid_set_or_send_report() with reportID > 15.
Signed-off-by: default avatarAdrian Salido <salidoa@google.com>
Reviewed-by: default avatarBenson Leung <bleung@chromium.org>
Signed-off-by: default avatarGuenter Roeck <groeck@chromium.org>
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
parent 8e8f7149
...@@ -540,7 +540,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size) ...@@ -540,7 +540,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size)
{ {
/* the worst case is computed from the set_report command with a /* the worst case is computed from the set_report command with a
* reportID > 15 and the maximum report length */ * reportID > 15 and the maximum report length */
int args_len = sizeof(__u8) + /* optional ReportID byte */ int args_len = sizeof(__u8) + /* ReportID */
sizeof(__u8) + /* optional ReportID byte */
sizeof(__u16) + /* data register */ sizeof(__u16) + /* data register */
sizeof(__u16) + /* size of the report */ sizeof(__u16) + /* size of the report */
report_size; /* report */ report_size; /* report */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment