Re: [PATCH] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

Next message: Kery Qi: "[PATCH] mlx4: Fix out of bounds access in __mlx4_register_mac()"
Previous message: Kairui Song: "Re: [PATCH v5 14/19] mm, swap: cleanup swap entry management workflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: kenkinming2002

Date: Wed Jan 07 2026 - 11:08:30 EST

On Wed, Jan 07, 2026 at 03:20:13PM +0100, Benjamin Tissoires wrote:
> It makes sense to put this min call here, but it's already present at
> line 304 a few lines after. Could you remove that second check (and
> unnecessary one after your change).

The min call at line 304 uses ret_count which comes from the first 2
bytes in the device response and indicates the actual size of the
returned report descriptor. Notice that importantly ret_count can be
strictly smaller than ihid->bufsize because persumably not all reports
have the same size. The behavior will change if the caller provides a
larger buffer than is necessary. With the min call at line 304, we will
return the actual size of the report descriptor (without the 2 bytes
length header). Without the min call at 304, we will instead return the
size of supplied buffer.

Yours sincerely,
Ken Kwok