HID: picolcd: sanity check report size in raw_event() callback
commit 844817e47eef14141cf59b8d5ac08dd11c0a9189 upstream. The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
fe63ce5175
commit
8ee6be5563
|
@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
|
||||||
if (!data)
|
if (!data)
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
|
if (size > 64) {
|
||||||
|
hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
|
||||||
|
size);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (report->id == REPORT_KEY_STATE) {
|
if (report->id == REPORT_KEY_STATE) {
|
||||||
if (data->input_keys)
|
if (data->input_keys)
|
||||||
ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
|
ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
|
||||||
|
|
Loading…
Reference in New Issue