Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

ANDROID: Bluetooth: hidp: buffer overflow in hidp_process_report 

The buffer length is unsigned at all layers, but gets cast to int and
checked in hidp_process_report and can lead to a buffer overflow.
Switch len parameter to unsigned int to resolve issue.

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Fixes: 678af93e46ac10318b54f2f0c9abbdfe75c4e078 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
Bug: 65853588
Change-Id: I779ce783ae7c3bce8c5a66c0954ef31347e42cfc
This commit is contained in:
Mark Salyzyn 2018-01-16 13:42:30 -08:00 committed by syphyr
parent a79aa02daa
commit f6962c4d28
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
net/bluetooth/hidp/core.c
View File

@ -425,8 +425,8 @@ static void hidp_del_timer(struct hidp_session *session)
del_timer(&session->timer);
}
static void hidp_process_report(struct hidp_session *session,
int type, const u8 *data, int len, int intr)
static void hidp_process_report(struct hidp_session *session, int type,
const u8 *data, unsigned int len, int intr)
{
if (len > HID_MAX_BUFFER_SIZE)
len = HID_MAX_BUFFER_SIZE;