summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdrian Salido <salidoa@google.com>2017-09-08 19:55:27 +0200
committerJiri Kosina <jkosina@suse.cz>2017-09-13 18:16:40 +0200
commit8320caeeffdefec3b58b9d4a7ed8e1079492fe7b (patch)
treedb912024c509ba7ecad44eae01393f9c99c2d4d8
parentHID: rmi: Make sure the HID device is opened on resume (diff)
downloadlinux-8320caeeffdefec3b58b9d4a7ed8e1079492fe7b.tar.xz
linux-8320caeeffdefec3b58b9d4a7ed8e1079492fe7b.zip
HID: i2c-hid: allocate hid buffers for real worst case
The buffer allocation is not currently accounting for an extra byte for the report id. This can cause an out of bounds access in function i2c_hid_set_or_send_report() with reportID > 15. Cc: stable@vger.kernel.org Signed-off-by: Adrian Salido <salidoa@google.com> Reviewed-by: Benson Leung <bleung@chromium.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-rw-r--r--drivers/hid/i2c-hid/i2c-hid.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 77396145d2d0..9145c2129a96 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size)
{
/* the worst case is computed from the set_report command with a
* reportID > 15 and the maximum report length */
- int args_len = sizeof(__u8) + /* optional ReportID byte */
+ int args_len = sizeof(__u8) + /* ReportID */
+ sizeof(__u8) + /* optional ReportID byte */
sizeof(__u16) + /* data register */
sizeof(__u16) + /* size of the report */
report_size; /* report */