HID: logitech-dj: check report length

Malicious USB devices can send bogus reports smaller than the expected buffer size. Ensure that the length is valid to avoid reading out of bounds. Signed-off-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
author: Peter Wu <peter@lekensteyn.nl> 2014-12-16 10:55:21 -0500
committer: Jiri Kosina <jkosina@suse.cz> 2014-12-17 02:50:12 -0500
commit: f254ae938ea479739572790a4e9b0ca86d16249f (patch)
tree: ba6bc66d182876f716c6cfe9a4f8a1e9a0202add
parent: 0349678ccd74d16c1f2bb58ecafec13ef7110e36 (diff)
1 files changed, 15 insertions, 1 deletions
diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
index c917ab61aafa..5bc6d80d5be7 100644
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev,
        switch (data[0]) {
        case REPORT_ID_DJ_SHORT:
+                if (size != DJREPORT_SHORT_LENGTH) {
+                        dev_err(&hdev->dev, "DJ report of bad size (%d)", size);
+                        return false;
+                }
                return logi_dj_dj_event(hdev, report, data, size);
        case REPORT_ID_HIDPP_SHORT:
-                /* intentional fallthrough */
+                if (size != HIDPP_REPORT_SHORT_LENGTH) {
+                        dev_err(&hdev->dev,
+                                "Short HID++ report of bad size (%d)", size);
+                        return false;
+                }
+                return logi_dj_hidpp_event(hdev, report, data, size);
        case REPORT_ID_HIDPP_LONG:
+                if (size != HIDPP_REPORT_LONG_LENGTH) {
+                        dev_err(&hdev->dev,
+                                "Long HID++ report of bad size (%d)", size);
+                        return false;
+                }
                return logi_dj_hidpp_event(hdev, report, data, size);
        }
author	Peter Wu <peter@lekensteyn.nl>	2014-12-16 10:55:21 -0500
committer	Jiri Kosina <jkosina@suse.cz>	2014-12-17 02:50:12 -0500
commit	f254ae938ea479739572790a4e9b0ca86d16249f (patch)
tree	ba6bc66d182876f716c6cfe9a4f8a1e9a0202add
parent	0349678ccd74d16c1f2bb58ecafec13ef7110e36 (diff)

diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c index c917ab61aafa..5bc6d80d5be7 100644 --- a/drivers/hid/hid-logitech-dj.c +++ b/drivers/hid/hid-logitech-dj.c
@@ -962,10 +962,24 @@ static int logi_dj_raw_event(struct hid_device *hdev,
962		962
963	switch (data[0]) {	963	switch (data[0]) {
964	case REPORT_ID_DJ_SHORT:	964	case REPORT_ID_DJ_SHORT:
		965	if (size != DJREPORT_SHORT_LENGTH) {
		966	dev_err(&hdev->dev, "DJ report of bad size (%d)", size);
		967	return false;
		968	}
965	return logi_dj_dj_event(hdev, report, data, size);	969	return logi_dj_dj_event(hdev, report, data, size);
966	case REPORT_ID_HIDPP_SHORT:	970	case REPORT_ID_HIDPP_SHORT:
967	/* intentional fallthrough */	971	if (size != HIDPP_REPORT_SHORT_LENGTH) {
		972	dev_err(&hdev->dev,
		973	"Short HID++ report of bad size (%d)", size);
		974	return false;
		975	}
		976	return logi_dj_hidpp_event(hdev, report, data, size);
968	case REPORT_ID_HIDPP_LONG:	977	case REPORT_ID_HIDPP_LONG:
		978	if (size != HIDPP_REPORT_LONG_LENGTH) {
		979	dev_err(&hdev->dev,
		980	"Long HID++ report of bad size (%d)", size);
		981	return false;
		982	}
969	return logi_dj_hidpp_event(hdev, report, data, size);	983	return logi_dj_hidpp_event(hdev, report, data, size);
970	}	984	}
971		985