[PATCH 3/4] HID: zydacron: reject short key reports

Next message: Nikhil Solanke: "Re: [PATCH v2] usbcore: Add quirk for 255-bytes initial config read"
Previous message: Yousef Alhouseen: "[PATCH 4/4] HID: roccat-savu: reject short special reports"
In reply to: Yousef Alhouseen: "[PATCH 4/4] HID: roccat-savu: reject short special reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 12:37:12 EST

The raw-event handler reads data[1] for report IDs 2 and 3 without
checking that the report includes a payload byte. A malformed USB device
can submit a report containing only the report ID and trigger an
out-of-bounds read.

Ignore the key value when the payload byte is missing.

Fixes: d0742abaa1c3 ("HID: add omitted hid-zydacron.c file")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/hid/hid-zydacron.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-zydacron.c b/drivers/hid/hid-zydacron.c
index 1aae80f848f5..b882d2a0ba1a 100644
--- a/drivers/hid/hid-zydacron.c
+++ b/drivers/hid/hid-zydacron.c
@@ -129,6 +129,9 @@ static int zc_raw_event(struct hid_device *hdev, struct hid_report *report,
switch (report->id) {
case 0x02:
case 0x03:
+ if (size < 2)
+ break;
+
switch (data[1]) {
case 0x10:
key = KEY_MODE;
--
2.54.0