[PATCH] Bluetooth: HIDP: reject oversized report descriptor

[Eric-Terminal]

From: Yufan Chen <ericterminal@xxxxxxxxx>

hidp_setup_hid() duplicates the report descriptor from userspace
based on req->rd_size. hidp_session_dev_init() only checked
rd_size > 0, so oversized values were accepted and propagated
to memdup_user().

Reject values larger than HID_MAX_DESCRIPTOR_SIZE and return
-EINVAL before entering the HID setup path.

Signed-off-by: Yufan Chen <ericterminal@xxxxxxxxx>
---
 net/bluetooth/hidp/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6fe815241..ce68b3c27 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -815,6 +815,9 @@ static int hidp_session_dev_init(struct hidp_session *session,
 {
 	int ret;
 
+	if (req->rd_size > HID_MAX_DESCRIPTOR_SIZE)
+		return -EINVAL;
+
 	if (req->rd_size > 0) {
 		ret = hidp_setup_hid(session, req);
 		if (ret && ret != -ENODEV)
-- 
2.53.0