Re: [PATCH] Bluetooth: HIDP: reject oversized report descriptor

Next message: Brian Masney: "Re: [PATCH 11/13] clk: renesas: rzg2l-cpg: drop determine_rate op and use CLK_ROUNDING_FW_MANAGED flag"
Previous message: Jan Kara: "Re: [PATCH 04/14] kernfs: adapt to rhashtable-based simple_xattrs with lazy allocation"
In reply to: Eric-Terminal: "[PATCH] Bluetooth: HIDP: reject oversized report descriptor"
Next in thread: Eric-Terminal: "[PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Luiz Augusto von Dentz

Date: Fri Feb 27 2026 - 10:08:41 EST

Hi Yafan,

On Tue, Feb 24, 2026 at 8:35 PM Eric-Terminal <ericterminal@xxxxxxxxx> wrote:
>
> From: Yufan Chen <ericterminal@xxxxxxxxx>
>
> hidp_setup_hid() duplicates the report descriptor from userspace
> based on req->rd_size. hidp_session_dev_init() only checked
> rd_size > 0, so oversized values were accepted and propagated
> to memdup_user().
>
> Reject values larger than HID_MAX_DESCRIPTOR_SIZE and return
> -EINVAL before entering the HID setup path.

Well this has the potential to break compatibility if a device
misbehaves. So is this causing a real problem or is it just defensive
coding? In case of the later, we may just truncate or something, if
that is not already truncated somewhere else.

> Signed-off-by: Yufan Chen <ericterminal@xxxxxxxxx>
> ---
> net/bluetooth/hidp/core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 6fe815241..ce68b3c27 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -815,6 +815,9 @@ static int hidp_session_dev_init(struct hidp_session *session,
> {
> int ret;
>
> + if (req->rd_size > HID_MAX_DESCRIPTOR_SIZE)
> + return -EINVAL;
> +
> if (req->rd_size > 0) {
> ret = hidp_setup_hid(session, req);
> if (ret && ret != -ENODEV)
> --
> 2.53.0
>

--
Luiz Augusto von Dentz