Re: [PATCH v2] HID: ft260: validate report size and payload length in raw_event

[Jiri Kosina]

On Tue, 24 Mar 2026, Sebastian Josue Alba Vives wrote:

> ft260_raw_event() casts the raw data buffer to a
> ft260_i2c_input_report struct and accesses its fields without
> validating the size parameter. Since __hid_input_report() invokes
> the driver's raw_event callback before hid_report_raw_event()
> performs its own report-size validation, a device sending a
> truncated HID report can cause out-of-bounds heap reads.
> 
> Additionally, even with a full-sized report, a corrupted
> xfer->length field can cause memcpy to read beyond the report
> buffer. The existing check only validates against the destination
> buffer size, not the source data available in the report.
> 
> Add two checks: reject reports shorter than FT260_REPORT_MAX_LENGTH,
> and verify that xfer->length does not exceed the actual data
> available in the report. Log warnings to aid debugging.
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Sebastian Josue Alba Vives <sebasjosue84@xxxxxxxxx>
> ---
>  drivers/hid/hid-ft260.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c
> index 333341e80..68008a423 100644
> --- a/drivers/hid/hid-ft260.c
> +++ b/drivers/hid/hid-ft260.c
> @@ -1068,6 +1068,17 @@ static int ft260_raw_event(struct hid_device *hdev, struct hid_report *report,
>  	struct ft260_device *dev = hid_get_drvdata(hdev);
>  	struct ft260_i2c_input_report *xfer = (void *)data;
>  
> +	if (size < FT260_REPORT_MAX_LENGTH) {
> +		hid_warn(hdev, "short report: %d\n", size);
> +		return 0;

Michael, can you please confirm whether the device can never legitimately 
send shorter than FT260_REPORT_MAX_LENGTH reports?

Thanks,

-- 
Jiri Kosina
SUSE Labs