[PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup

Next message: Tejun Heo: "Re: [PATCH] sched_ext: Separate lock and first_task into distinct cache lines in scx_dispatch_q"
Previous message: pr-tracker-bot: "Re: [GIT PULL] s390 updates for 7.0-rc2"
In reply to: Luiz Augusto von Dentz: "Re: [PATCH] Bluetooth: HIDP: reject oversized report descriptor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric-Terminal

Date: Sat Feb 28 2026 - 12:28:02 EST

From: Yufan Chen <ericterminal@xxxxxxxxx>

hidp_setup_hid() duplicates the report descriptor from userspace based on
req->rd_size. Large values can trigger oversized copies.

Do not reject the connection when rd_size exceeds
HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid()
and use the capped value for memdup_user() and session->rd_size.

This keeps compatibility with existing userspace behavior while
bounding memory usage in the HID setup path.

Signed-off-by: Yufan Chen <ericterminal@xxxxxxxxx>
---
net/bluetooth/hidp/core.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6fe815241..31aeffa39 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session *session,
const struct hidp_connadd_req *req)
{
struct hid_device *hid;
+ unsigned int rd_size;
int err;

- session->rd_data = memdup_user(req->rd_data, req->rd_size);
+ rd_size = min_t(unsigned int, req->rd_size, HID_MAX_DESCRIPTOR_SIZE);
+
+ session->rd_data = memdup_user(req->rd_data, rd_size);
if (IS_ERR(session->rd_data))
return PTR_ERR(session->rd_data);

- session->rd_size = req->rd_size;
+ session->rd_size = rd_size;

hid = hid_allocate_device();
if (IS_ERR(hid)) {
--
2.47.3