HID: Bluetooth: hidp: make sure input buffers are big enough

HID core expects the input buffers to be at least of size 4096 (HID_MAX_BUFFER_SIZE). Other sizes will result in buffer-overflows if an input-report is smaller than advertised. We could, like i2c, compute the biggest report-size instead of using HID_MAX_BUFFER_SIZE, but this will blow up if report-descriptors are changed after ->start() has been called. So lets be safe and just use the biggest buffer we have. Note that this adds an additional copy to the HIDP input path. If there is a way to make sure the skb-buf is big enough, we should use that instead. The best way would be to make hid-core honor the @size argument, though, that sounds easier than it is. So lets just fix the buffer-overflows for now and afterwards look for a faster way for all transport drivers. Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
author: David Herrmann <dh.herrmann@gmail.com> 2013-12-19 06:09:32 -0500
committer: Jiri Kosina <jkosina@suse.cz> 2014-02-17 15:17:55 -0500
commit: a4b1b5877b514b276f0f31efe02388a9c2836728 (patch)
tree: a09dd741c0a2b98db2ab8f71b45c5dc92efcc02c /net/bluetooth/hidp
parent: 218eb9ed840c6279686ed6b0c3e31a083e241ff9 (diff)
2 files changed, 18 insertions, 2 deletions
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 292e619db896..d9fb93451442 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -430,6 +430,16 @@ static void hidp_del_timer(struct hidp_session *session)
                del_timer(&session->timer);
 }
+static void hidp_process_report(struct hidp_session *session,
+                                int type, const u8 *data, int len, int intr)
+{
+        if (len > HID_MAX_BUFFER_SIZE)
+                len = HID_MAX_BUFFER_SIZE;
+        memcpy(session->input_buf, data, len);
+        hid_input_report(session->hid, type, session->input_buf, len, intr);
+}
 static void hidp_process_handshake(struct hidp_session *session,
                                        unsigned char param)
 {
@@ -502,7 +512,8 @@ static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
                        hidp_input_report(session, skb);
                if (session->hid)
-                        hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0);
+                        hidp_process_report(session, HID_INPUT_REPORT,
+                                            skb->data, skb->len, 0);
                break;
        case HIDP_DATA_RTYPE_OTHER:
@@ -584,7 +595,8 @@ static void hidp_recv_intr_frame(struct hidp_session *session,
                        hidp_input_report(session, skb);
                if (session->hid) {
-                        hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1);
+                        hidp_process_report(session, HID_INPUT_REPORT,
+                                            skb->data, skb->len, 1);
                        BT_DBG("report len %d", skb->len);
                }
        } else {
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index ab5241400cf7..8798492a6e99 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -24,6 +24,7 @@
 #define __HIDP_H
 #include <linux/types.h>
+#include <linux/hid.h>
 #include <linux/kref.h>
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/l2cap.h>
@@ -179,6 +180,9 @@ struct hidp_session {
        /* Used in hidp_output_raw_report() */
        int output_report_success; /* boolean */
+        /* temporary input buffer */
+        u8 input_buf[HID_MAX_BUFFER_SIZE];
 };
 /* HIDP init defines */
author	David Herrmann <dh.herrmann@gmail.com>	2013-12-19 06:09:32 -0500
committer	Jiri Kosina <jkosina@suse.cz>	2014-02-17 15:17:55 -0500
commit	a4b1b5877b514b276f0f31efe02388a9c2836728 (patch)
tree	a09dd741c0a2b98db2ab8f71b45c5dc92efcc02c /net/bluetooth/hidp
parent	218eb9ed840c6279686ed6b0c3e31a083e241ff9 (diff)