HID: picolcd: sanity check report size in raw_event() callback
commit 844817e47eef14141cf59b8d5ac08dd11c0a9189 upstream. The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
fe63ce5175
commit
8ee6be5563
|
@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
|
|||
if (!data)
|
||||
return 1;
|
||||
|
||||
if (size > 64) {
|
||||
hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
|
||||
size);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (report->id == REPORT_KEY_STATE) {
|
||||
if (data->input_keys)
|
||||
ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
|
||||
|
|
Loading…
Reference in New Issue