[PATCH 3/6] HID: roccat-pyra: reject short button reports

Next message: Yousef Alhouseen: "[PATCH 1/6] HID: roccat-koneplus: reject short button reports"
Previous message: Thomas Gleixner: "Re: [PATCH v2 12/13] x86: Add support for dynamic kernel stacks via FRED"
In reply to: Yousef Alhouseen: "[PATCH 1/6] HID: roccat-koneplus: reject short button reports"
Next in thread: Yousef Alhouseen: "[PATCH 2/6] HID: roccat-isku: reject short button reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 12:46:59 EST

The Pyra raw-event path treats every button report as a complete
five-byte structure. A malformed USB device can send a shorter report
and make profile tracking or character-device event construction read
beyond the received input buffer.

Ignore incomplete button reports before calling either helper.

Fixes: cb7cf3da0daa ("HID: roccat: add driver for Roccat Pyra mouse")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/hid/hid-roccat-pyra.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/hid/hid-roccat-pyra.c b/drivers/hid/hid-roccat-pyra.c
index 0d515995bb9d..df8949c17ce3 100644
--- a/drivers/hid/hid-roccat-pyra.c
+++ b/drivers/hid/hid-roccat-pyra.c
@@ -557,6 +557,10 @@ static int pyra_raw_event(struct hid_device *hdev, struct hid_report *report,
if (pyra == NULL)
return 0;

+ if (data[0] == PYRA_MOUSE_REPORT_NUMBER_BUTTON &&
+ size < sizeof(struct pyra_mouse_event_button))
+ return 0;
+
pyra_keep_values_up_to_date(pyra, data);

if (pyra->roccat_claimed)
--
2.54.0