HID: i2c-hid: allocate hid buffers for real worst case

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The buffer allocation is not currently accounting for an extra byte for
the report id. This can cause an out of bounds access in function
i2c_hid_set_or_send_report() with reportID > 15.

Cc: stable@vger.kernel.org
Signed-off-by: Adrian Salido <salidoa@google.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

authored by

Adrian Salido and committed by

Jiri Kosina 8 years ago 8320caee cac72b99

+2 -1

1 changed file

expand all

drivers

hid

i2c-hid

i2c-hid.c

+2 -1

drivers/hid/i2c-hid/i2c-hid.c

··· 543 543 { 544 544 /* the worst case is computed from the set_report command with a 545 545 * reportID > 15 and the maximum report length */ 546 - int args_len = sizeof(__u8) + /* optional ReportID byte */ 546 + int args_len = sizeof(__u8) + /* ReportID */ 547 + sizeof(__u8) + /* optional ReportID byte */ 547 548 sizeof(__u16) + /* data register */ 548 549 sizeof(__u16) + /* size of the report */ 549 550 report_size; /* report */