[PATCH] HID: pxrc: reject short input reports

Next message: Jason Pettit: "Re: [PATCH v2 2/3] arm64: dts: qcom: Add HP EliteBook X G2q 14 AI"
Previous message: Yousef Alhouseen: "[PATCH v2] net: usb: rtl8150: handle link status read failures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 12:28:37 EST

pxrc_raw_event() unconditionally reads and writes data[7], although a
malformed USB device can submit a shorter input report. The raw-event
callback runs before the HID core expands short reports to the size from
the report descriptor, so this accesses beyond the received buffer.

Ignore reports that do not contain all eight controller axes.

Fixes: acc3e34613da ("HID: Add driver for PhoenixRC Flight Controller")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/hid/hid-pxrc.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-pxrc.c b/drivers/hid/hid-pxrc.c
index 71fe0c06ddcd..e3755d8b85c2 100644
--- a/drivers/hid/hid-pxrc.c
+++ b/drivers/hid/hid-pxrc.c
@@ -55,6 +55,9 @@ static int pxrc_raw_event(struct hid_device *hdev, struct hid_report *report,
{
struct pxrc_priv *priv = hid_get_drvdata(hdev);

+ if (size < 8)
+ return 0;
+
if (priv->alternate)
priv->slider = data[7];
else
--
2.54.0