Re: [PATCH] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

Next message: Zack Rusin: "Re: [PATCH] drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()"
Previous message: Zack Rusin: "Re: [PATCH] drm/vmwgfx: Fix kernel-doc warnings for vmwgfx_fence"
In reply to: Benjamin Tissoires: "Re: [PATCH] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Benjamin Tissoires

Date: Wed Jan 07 2026 - 12:36:42 EST

On Thu, 01 Jan 2026 02:18:26 +0800, Kwok Kin Ming wrote:
> `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
> into `ihid->rawbuf`.
>
> The former can come from the userspace in the hidraw driver and is only
> bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
> `max_buffer_size` field of `struct hid_ll_driver` which we do not).
>
> [...]

Applied to hid/hid.git (for-6.19/upstream-fixes), thanks!

[1/1] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
https://git.kernel.org/hid/hid/c/2497ff38c530

Cheers,
--
Benjamin Tissoires <bentiss@xxxxxxxxxx>