From 0fe6150d9bd5a68f6f2e6d5df3109d60af971995 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Wed, 19 Mar 2014 23:30:39 +0100
Subject: unifying: reject long DJ writes unconditionally

Reports 0x21 always fails (-EPIPE) for Set_Report.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
---
 hw/usb/hid-logitech-dj.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/hw/usb/hid-logitech-dj.c b/hw/usb/hid-logitech-dj.c
index fa5c96933b..883830a841 100644
--- a/hw/usb/hid-logitech-dj.c
+++ b/hw/usb/hid-logitech-dj.c
@@ -124,13 +124,14 @@ static void hidpp_notif_device_connection(USBLtunifyState *s, uint8_t device_ind
     hidpp_queue_output_report(s, (HidppMsg *) &msg);
 }
 
-static bool hidpp_process_receiver_report(USBLtunifyState *s, HidppMsg *msg)
+static void hidpp_process_receiver_report(USBLtunifyState *s, HidppMsg *msg)
 {
     LHidDevice *hd;
     int i;
     uint8_t *parms;
 
     assert(msg->device_index == 0xFF);
+    assert(msg->report_id != DJ_LONG);
 
     if (msg->report_id == DJ_SHORT) {
         parms = msg->dj_s.payload;
@@ -298,13 +299,7 @@ static bool hidpp_process_receiver_report(USBLtunifyState *s, HidppMsg *msg)
                 hidpp_queue_error(s, msg, HIDPP_ERR_INVALID_SUBID);
             }
         }
-    } else {
-        /* DJ_LONG is unhandled */
-        return false;
     }
-
-    /* report is accepted and possibly processed */
-    return true;
 }
 
 static void hidpp_process_input_report(USBLtunifyState *s, HidppMsg msg)
@@ -327,7 +322,8 @@ static void hidpp_set_report(USBDevice *dev, USBPacket *p, uint8_t *data, size_t
     HidppMsg *msg = (HidppMsg *) data;
     int report_len;
 
-    if (len < sizeof(HidppMsgShort)) {
+    /* fail if the report is too short, or if trying to write a long report */
+    if (len < sizeof(HidppMsgShort) || msg->report_id == DJ_LONG) {
         goto fail;
     }
 
@@ -335,9 +331,7 @@ static void hidpp_set_report(USBDevice *dev, USBPacket *p, uint8_t *data, size_t
     if (report_len > 0 && len >= report_len) {
         if (msg->device_index == 0xFF) {
             /* receiver messages can be processed immediately */
-            if (!hidpp_process_receiver_report(s, msg)) {
-                goto fail;
-            }
+            hidpp_process_receiver_report(s, msg);
         } else if (s->input_queue.n < LQUEUE_SIZE(s->input_queue)) {
             unsigned slot = LQUEUE_WRAP(s->input_queue, s->input_queue.head + s->input_queue.n);
             s->input_queue.n++;
-- 
cgit v1.2.1