summaryrefslogtreecommitdiffstats
path: root/drivers/hid
diff options
context:
space:
mode:
authorBenjamin Tissoires <benjamin.tissoires@gmail.com>2012-12-05 15:02:56 +0100
committerJiri Kosina <jkosina@suse.cz>2012-12-06 10:58:42 +0100
commite5b50fe7bea43d0658773c89ba410ecc56867ee6 (patch)
tree8e52cc3e9a269224ad1a233c07a751adcf64b3b9 /drivers/hid
parentHID: i2c-hid: remove extra .irq field in struct i2c_hid (diff)
downloadlinux-e5b50fe7bea43d0658773c89ba410ecc56867ee6.tar.xz
linux-e5b50fe7bea43d0658773c89ba410ecc56867ee6.zip
HID: i2c-hid: fix i2c_hid_get_raw_report count mismatches
The previous memcpy implementation relied on the size advertized by the device. There were no guarantees that buf was big enough. Some gymnastic is also required with the +2/-2 to take into account the first 2 bytes of the returned buffer where the total returned length is supplied by the device. Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers/hid')
-rw-r--r--drivers/hid/i2c-hid/i2c-hid.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index c6630d442e78..ce01d5916184 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -502,23 +502,31 @@ static int i2c_hid_get_raw_report(struct hid_device *hid,
{
struct i2c_client *client = hid->driver_data;
struct i2c_hid *ihid = i2c_get_clientdata(client);
+ size_t ret_count, ask_count;
int ret;
if (report_type == HID_OUTPUT_REPORT)
return -EINVAL;
- if (count > ihid->bufsize)
- count = ihid->bufsize;
+ /* +2 bytes to include the size of the reply in the query buffer */
+ ask_count = min(count + 2, (size_t)ihid->bufsize);
ret = i2c_hid_get_report(client,
report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,
- report_number, ihid->inbuf, count);
+ report_number, ihid->inbuf, ask_count);
if (ret < 0)
return ret;
- count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
+ ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
+ if (!ret_count)
+ return 0;
+
+ ret_count = min(ret_count, ask_count);
+
+ /* The query buffer contains the size, dropping it in the reply */
+ count = min(count, ret_count - 2);
memcpy(buf, ihid->inbuf + 2, count);
return count;