HID: logitech-hidpp: check WTP report length

Malicious USB devices can send bogus reports smaller than the expected buffer size. Ensure that the length for WTP reports is valid to avoid reading out of bounds. Signed-off-by: N Peter Wu <peter@lekensteyn.nl> Reviewed-by: N Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: N Jiri Kosina <jkosina@suse.cz>

HID: logitech-hidpp: check WTP report length
Malicious USB devices can send bogus reports smaller than the expected buffer size. Ensure that the length for WTP reports is valid to avoid reading out of bounds. Signed-off-by: N Peter Wu <peter@lekensteyn.nl> Reviewed-by: N Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: N Jiri Kosina <jkosina@suse.cz>
0b3f6569 · Peter Wu · Jiri Kosina · f254ae93 · 0b3f6569
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

drivers/hid/hid-logitech-hidpp.c drivers/hid/hid-logitech-hidpp.c +6 -0

未找到文件。
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -794,6 +794,11 @@ static int wtp_raw_event(struct hid_device *hdev, u8 *data, int size)

 	switch (data[0]) {
 	case 0x02:
+		if (size < 2) {
+			hid_err(hdev, "Received HID report of bad size (%d)",
+				size);
+			return 1;
+		}
 		if (hidpp->quirks & HIDPP_QUIRK_WTP_PHYSICAL_BUTTONS) {
 			input_event(wd->input, EV_KEY, BTN_LEFT,
 					!!(data[1] & 0x01));
@@ -806,6 +811,7 @@ static int wtp_raw_event(struct hid_device *hdev, u8 *data, int size)
 			return wtp_mouse_raw_xy_event(hidpp, &data[7]);
 		}
 	case REPORT_ID_HIDPP_LONG:
+		/* size is already checked in hidpp_raw_event. */
 		if ((report->fap.feature_index != wd->mt_feature_index) ||
 		    (report->fap.funcindex_clientid != EVENT_TOUCHPAD_RAW_XY))
 			return 1;