summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Wu <peter@lekensteyn.nl>2014-12-16 16:32:33 +0100
committerPeter Wu <peter@lekensteyn.nl>2014-12-16 16:32:33 +0100
commit116586326c879a62a79202ba3b4435728dfc46d8 (patch)
treee3334c7514096ea2b63bff72da7803ff8d459b93
parent1d56b9805c51a8a7717d769849173fd5fb8f30c5 (diff)
downloadlinux-116586326c879a62a79202ba3b4435728dfc46d8.tar.gz
HID: logitech-hidpp: check WTP report length
Malicious USB devices can send bogus reports smaller than the expected buffer size. Ensure that the length for WTP reports is valid to avoid reading out of bounds. Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-rw-r--r--drivers/hid/hid-logitech-hidpp.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index b32f751b2d2d..2f1b0ac85381 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -805,6 +805,11 @@ static int wtp_raw_event(struct hid_device *hdev, u8 *data, int size)
switch (data[0]) {
case 0x02:
+ if (size < 2) {
+ hid_err(hdev, "Received HID report of bad size (%d)",
+ size);
+ return 1;
+ }
if (hidpp->quirks & HIDPP_QUIRK_WTP_PHYSICAL_BUTTONS) {
input_event(wd->input, EV_KEY, BTN_LEFT,
!!(data[1] & 0x01));
@@ -818,6 +823,7 @@ static int wtp_raw_event(struct hid_device *hdev, u8 *data, int size)
return wtp_mouse_raw_xy_event(hidpp, &data[7]);
}
case REPORT_ID_HIDPP_LONG:
+ /* size is already checked in hidpp_raw_event. */
if ((report->fap.feature_index != wd->mt_feature_index) ||
(report->fap.funcindex_clientid != EVENT_TOUCHPAD_RAW_XY))
return 1;