summaryrefslogtreecommitdiff
path: root/hw
diff options
context:
space:
mode:
authorPeter Wu <peter@lekensteyn.nl>2014-03-19 23:30:39 +0100
committerPeter Wu <peter@lekensteyn.nl>2014-03-19 23:30:39 +0100
commit0fe6150d9bd5a68f6f2e6d5df3109d60af971995 (patch)
treeb9af70d164ac7ee1fac6fea73365362bc2845269 /hw
parentdb7becb5be98945b079fc727b289ccca3024eff8 (diff)
downloadqemu-0fe6150d9bd5a68f6f2e6d5df3109d60af971995.tar.gz
unifying: reject long DJ writes unconditionally
Reports 0x21 always fails (-EPIPE) for Set_Report. Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'hw')
-rw-r--r--hw/usb/hid-logitech-dj.c16
1 files changed, 5 insertions, 11 deletions
diff --git a/hw/usb/hid-logitech-dj.c b/hw/usb/hid-logitech-dj.c
index fa5c96933b..883830a841 100644
--- a/hw/usb/hid-logitech-dj.c
+++ b/hw/usb/hid-logitech-dj.c
@@ -124,13 +124,14 @@ static void hidpp_notif_device_connection(USBLtunifyState *s, uint8_t device_ind
hidpp_queue_output_report(s, (HidppMsg *) &msg);
}
-static bool hidpp_process_receiver_report(USBLtunifyState *s, HidppMsg *msg)
+static void hidpp_process_receiver_report(USBLtunifyState *s, HidppMsg *msg)
{
LHidDevice *hd;
int i;
uint8_t *parms;
assert(msg->device_index == 0xFF);
+ assert(msg->report_id != DJ_LONG);
if (msg->report_id == DJ_SHORT) {
parms = msg->dj_s.payload;
@@ -298,13 +299,7 @@ static bool hidpp_process_receiver_report(USBLtunifyState *s, HidppMsg *msg)
hidpp_queue_error(s, msg, HIDPP_ERR_INVALID_SUBID);
}
}
- } else {
- /* DJ_LONG is unhandled */
- return false;
}
-
- /* report is accepted and possibly processed */
- return true;
}
static void hidpp_process_input_report(USBLtunifyState *s, HidppMsg msg)
@@ -327,7 +322,8 @@ static void hidpp_set_report(USBDevice *dev, USBPacket *p, uint8_t *data, size_t
HidppMsg *msg = (HidppMsg *) data;
int report_len;
- if (len < sizeof(HidppMsgShort)) {
+ /* fail if the report is too short, or if trying to write a long report */
+ if (len < sizeof(HidppMsgShort) || msg->report_id == DJ_LONG) {
goto fail;
}
@@ -335,9 +331,7 @@ static void hidpp_set_report(USBDevice *dev, USBPacket *p, uint8_t *data, size_t
if (report_len > 0 && len >= report_len) {
if (msg->device_index == 0xFF) {
/* receiver messages can be processed immediately */
- if (!hidpp_process_receiver_report(s, msg)) {
- goto fail;
- }
+ hidpp_process_receiver_report(s, msg);
} else if (s->input_queue.n < LQUEUE_SIZE(s->input_queue)) {
unsigned slot = LQUEUE_WRAP(s->input_queue, s->input_queue.head + s->input_queue.n);
s->input_queue.n++;