HID: magicmouse: sanity check report size in raw_event() callback

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that
magicmouse_emit_touch() gets only valid values of raw_id.

Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Jiri Kosina 11 years ago c54def7b 5abfe85c

+10

1 changed file

expand all

drivers

hid

hid-magicmouse.c

+10

drivers/hid/hid-magicmouse.c

··· 290 290 if (size < 4 || ((size - 4) % 9) != 0) 291 291 return 0; 292 292 npoints = (size - 4) / 9; 293 + if (npoints > 15) { 294 + hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n", 295 + size); 296 + return 0; 297 + } 293 298 msc->ntouches = 0; 294 299 for (ii = 0; ii < npoints; ii++) 295 300 magicmouse_emit_touch(msc, ii, data + ii * 9 + 4); ··· 312 307 if (size < 6 || ((size - 6) % 8) != 0) 313 308 return 0; 314 309 npoints = (size - 6) / 8; 310 + if (npoints > 15) { 311 + hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n", 312 + size); 313 + return 0; 314 + } 315 315 msc->ntouches = 0; 316 316 for (ii = 0; ii < npoints; ii++) 317 317 magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);