Re: [PATCH] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

Next message: Miguel Ojeda: "Re: [PATCH] MAINTAINERS: Update email address for Joel Fernandes"
Previous message: Gary Guo: "Re: [PATCH v2] rust: sync: inline various lock related methods"
In reply to: Benjamin Tissoires: "Re: [PATCH] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()"
Next in thread: Benjamin Tissoires: "Re: [PATCH] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Benjamin Tissoires

Date: Wed Jan 07 2026 - 12:37:45 EST

On Jan 08 2026, kenkinming2002@xxxxxxxxx wrote:
> On Wed, Jan 07, 2026 at 03:20:13PM +0100, Benjamin Tissoires wrote:
> > It makes sense to put this min call here, but it's already present at
> > line 304 a few lines after. Could you remove that second check (and
> > unnecessary one after your change).
>
> The min call at line 304 uses ret_count which comes from the first 2
> bytes in the device response and indicates the actual size of the
> returned report descriptor. Notice that importantly ret_count can be
> strictly smaller than ihid->bufsize because persumably not all reports
> have the same size. The behavior will change if the caller provides a
> larger buffer than is necessary. With the min call at line 304, we will
> return the actual size of the report descriptor (without the 2 bytes
> length header). Without the min call at 304, we will instead return the
> size of supplied buffer.

Oh, you're correct. Thanks.

Applied (as mentioned by the automated reply).

Cheers,
Benjamin

>
> Yours sincerely,
> Ken Kwok