[PATCH v2 4/4] HID: i2c-hid: fix i2c_hid_get_raw_report count mismatches

From: Benjamin Tissoires
Date: Wed Dec 05 2012 - 09:03:30 EST


The previous memcpy implementation relied on the size advertized by the
device. There were no guarantees that buf was big enough.

Some gymnastic is also required with the +2/-2 to take into account
the first 2 bytes of the returned buffer where the total returned
length is supplied by the device.

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxx>
---
drivers/hid/i2c-hid/i2c-hid.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index c6630d4..ce01d59 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -502,23 +502,31 @@ static int i2c_hid_get_raw_report(struct hid_device *hid,
{
struct i2c_client *client = hid->driver_data;
struct i2c_hid *ihid = i2c_get_clientdata(client);
+ size_t ret_count, ask_count;
int ret;

if (report_type == HID_OUTPUT_REPORT)
return -EINVAL;

- if (count > ihid->bufsize)
- count = ihid->bufsize;
+ /* +2 bytes to include the size of the reply in the query buffer */
+ ask_count = min(count + 2, (size_t)ihid->bufsize);

ret = i2c_hid_get_report(client,
report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,
- report_number, ihid->inbuf, count);
+ report_number, ihid->inbuf, ask_count);

if (ret < 0)
return ret;

- count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
+ ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);

+ if (!ret_count)
+ return 0;
+
+ ret_count = min(ret_count, ask_count);
+
+ /* The query buffer contains the size, dropping it in the reply */
+ count = min(count, ret_count - 2);
memcpy(buf, ihid->inbuf + 2, count);

return count;
--
1.8.0.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/