diff options
author | Pietro Borrello <borrello@diag.uniroma1.it> | 2023-01-11 18:12:16 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-02-06 07:49:39 +0100 |
commit | 7317326f685824c7c29bd80841fd18041af6bb73 (patch) | |
tree | 68e62efac464963e43ce90d905a08ba208be049d | |
parent | 8ee28f88112d83a9189c62d583f1251d6da0bc3e (diff) | |
download | linux-stable-7317326f685824c7c29bd80841fd18041af6bb73.tar.gz linux-stable-7317326f685824c7c29bd80841fd18041af6bb73.tar.bz2 linux-stable-7317326f685824c7c29bd80841fd18041af6bb73.zip |
HID: betop: check shape of output reports
[ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ]
betopff_init() only checks the total sum of the report counts for each
report field to be at least 4, but hid_betopff_play() expects 4 report
fields.
A device advertising an output report with one field and 4 report counts
would pass the check but crash the kernel with a NULL pointer dereference
in hid_betopff_play().
Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | drivers/hid/hid-betopff.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c index 9b60efe6ec44..ba386e5aa055 100644 --- a/drivers/hid/hid-betopff.c +++ b/drivers/hid/hid-betopff.c @@ -63,7 +63,6 @@ static int betopff_init(struct hid_device *hid) struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; struct input_dev *dev; - int field_count = 0; int error; int i, j; @@ -89,19 +88,21 @@ static int betopff_init(struct hid_device *hid) * ----------------------------------------- * Do init them with default value. */ + if (report->maxfield < 4) { + hid_err(hid, "not enough fields in the report: %d\n", + report->maxfield); + return -ENODEV; + } for (i = 0; i < report->maxfield; i++) { + if (report->field[i]->report_count < 1) { + hid_err(hid, "no values in the field\n"); + return -ENODEV; + } for (j = 0; j < report->field[i]->report_count; j++) { report->field[i]->value[j] = 0x00; - field_count++; } } - if (field_count < 4) { - hid_err(hid, "not enough fields in the report: %d\n", - field_count); - return -ENODEV; - } - betopff = kzalloc(sizeof(*betopff), GFP_KERNEL); if (!betopff) return -ENOMEM; |