[PATCH 5/6] HID: roccat-konepure: reject short button reports

Next message: Hugo Osvaldo Barrera: "Re: [PATCH 2/2] dt-bindings: bluetooth: broadcom: add BCM43752"
Previous message: Yousef Alhouseen: "[PATCH 4/6] HID: roccat-kovaplus: reject short button reports"
In reply to: Yousef Alhouseen: "[PATCH 4/6] HID: roccat-kovaplus: reject short button reports"
Next in thread: Yousef Alhouseen: "[PATCH 6/6] HID: roccat-ryos: reject short special reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 12:49:38 EST

konepure_raw_event() forwards button reports directly to
roccat_report_event(), which copies the fixed eight-byte report size
registered by this driver. A malformed USB device can send a shorter
report and make that copy read beyond the input buffer.

Only forward complete button reports.

Fixes: 8936aa31cd5f ("HID: roccat: add support for Roccat Kone Pure gaming mouse")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/hid/hid-roccat-konepure.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-roccat-konepure.c b/drivers/hid/hid-roccat-konepure.c
index 7f753dfc2a10..d17dee18ac2b 100644
--- a/drivers/hid/hid-roccat-konepure.c
+++ b/drivers/hid/hid-roccat-konepure.c
@@ -181,7 +181,8 @@ static int konepure_raw_event(struct hid_device *hdev,
!= USB_INTERFACE_PROTOCOL_MOUSE)
return 0;

- if (data[0] != KONEPURE_MOUSE_REPORT_NUMBER_BUTTON)
+ if (data[0] != KONEPURE_MOUSE_REPORT_NUMBER_BUTTON ||
+ size < sizeof(struct konepure_mouse_report_button))
return 0;

if (konepure != NULL && konepure->roccat_claimed)
--
2.54.0