greybus: hid: fix missing input verification of report events

Add minimal verification of incoming report size, before using it to determine what buffer and size to pass on to HID core. Add comment about protocol needing to be revisited. If we are going to be parsing the report data received, then those fields have to be defined in the Greybus specification at least. Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
2015-03-27 12:45:47 +01:00 · 2015-03-27 12:45:47 +01:00 · 382145beb4
commit 382145beb4
parent 36257f6b4e
1 changed files with 5 additions and 1 deletions
--- a/drivers/staging/greybus/hid.c
+++ b/drivers/staging/greybus/hid.c
@ -168,8 +168,12 @@ static void gb_hid_irq_handler(u8 type, struct gb_operation *op)
 		return;
 	}

+	/*
+	 * FIXME: add report size to Greybus HID protocol if we need to parse
+	 *        it here.
+	 */
 	size = request->report[0] | request->report[1] << 8;
-	if (!size) {
+	if (size < 2 || size > op->request->payload_size - 2) {
 		dev_err(&connection->dev, "bad report size: %d\n", size);
 		return;
 	}