[PATCH 1/4] HID: elo: ignore short touch reports

Next message: Yousef Alhouseen: "[PATCH 2/4] HID: cougar: reject short vendor reports"
Previous message: Nikhil Solanke: "Re: [PATCH v2] usbcore: Add quirk for 255-bytes initial config read"
Next in thread: Yousef Alhouseen: "[PATCH 2/4] HID: cougar: reject short vendor reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 12:36:18 EST

elo_process_data() reads coordinates, flags, and pressure through data[7].
The raw-event callback only checks the packet marker, so a malformed USB
device can submit a one-byte marker report and trigger out-of-bounds
reads from the input buffer.

Only process touch packets that contain all eight protocol bytes.

Fixes: d23efc19478a ("HID: add driver for ELO 4000/4500")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/hid/hid-elo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c
index b8f5f3eb53a4..1aeec712c67b 100644
--- a/drivers/hid/hid-elo.c
+++ b/drivers/hid/hid-elo.c
@@ -89,7 +89,7 @@ static int elo_raw_event(struct hid_device *hdev, struct hid_report *report,

switch (report->id) {
case 0:
- if (data[0] == 'T') { /* Mandatory ELO packet marker */
+ if (size >= 8 && data[0] == 'T') { /* Mandatory ELO packet marker */
elo_process_data(hidinput->input, data, size);
return 1;
}
--
2.54.0