| Message ID | 20180104060608.11156-2-aaron.ma@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [1/2] HID: core: i2c-hid: fix size check and type usage | expand |
> On 4 Jan 2018, at 2:06 PM, Aaron Ma <aaron.ma@canonical.com> wrote: > > BugLink: https://bugs.launchpad.net/bugs/1741168 > > Link: https://patchwork.kernel.org/patch/10141099/ > > When convert char array with signed int, if the inbuf[x] is negative then > upper bits will be set to 1. Fix this by using u8 instead of char. > > ret_size has to be at least 3, hid_input_report use it after minus 2 bytes. > > size should be more than 0 to keep memset safe. > > Cc: stable@vger.kernel.org > Signed-off-by: Aaron Ma <aaron.ma@canonical.com> > --- > drivers/hid/hid-core.c | 4 ++-- > drivers/hid/i2c-hid/i2c-hid.c | 10 +++++----- > 2 files changed, 7 insertions(+), 7 deletions(-) > > diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c > index efb3501b4123..c40dc6406966 100644 > --- a/drivers/hid/hid-core.c > +++ b/drivers/hid/hid-core.c > @@ -1506,7 +1506,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, > if (rsize > HID_MAX_BUFFER_SIZE) > rsize = HID_MAX_BUFFER_SIZE; > > - if (csize < rsize) { > + if ((csize < rsize) && (csize > 0)) { > dbg_hid("report %d is too short, (%d < %d)\n", report->id, > csize, rsize); > memset(cdata + csize, 0, rsize - csize); Why is skipping memset() when csize == 0 necessary? Kai-Heng > @@ -1566,7 +1566,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int i > report_enum = hid->report_enum + type; > hdrv = hid->driver; > > - if (!size) { > + if (size <= 0) { > dbg_hid("empty report\n"); > ret = -1; > goto unlock; > diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c > index 364150435c62..4b3a703f297b 100644 > --- a/drivers/hid/i2c-hid/i2c-hid.c > +++ b/drivers/hid/i2c-hid/i2c-hid.c > @@ -143,10 +143,10 @@ struct i2c_hid { > * register of the HID > * descriptor. */ > unsigned int bufsize; /* i2c buffer size */ > - char *inbuf; /* Input buffer */ > - char *rawbuf; /* Raw Input buffer */ > - char *cmdbuf; /* Command buffer */ > - char *argsbuf; /* Command arguments buffer */ > + u8 *inbuf; /* Input buffer */ > + u8 *rawbuf; /* Raw Input buffer */ > + u8 *cmdbuf; /* Command buffer */ > + u8 *argsbuf; /* Command arguments buffer */ > > unsigned long flags; /* device flags */ > unsigned long quirks; /* Various quirks */ > @@ -468,7 +468,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) > > ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8; > > - if (!ret_size) { > + if (ret_size <= 2) { > /* host or device initiated RESET completed */ > if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags)) > wake_up(&ihid->wait); > -- > 2.14.3 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index efb3501b4123..c40dc6406966 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1506,7 +1506,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, if (rsize > HID_MAX_BUFFER_SIZE) rsize = HID_MAX_BUFFER_SIZE; - if (csize < rsize) { + if ((csize < rsize) && (csize > 0)) { dbg_hid("report %d is too short, (%d < %d)\n", report->id, csize, rsize); memset(cdata + csize, 0, rsize - csize); @@ -1566,7 +1566,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int i report_enum = hid->report_enum + type; hdrv = hid->driver; - if (!size) { + if (size <= 0) { dbg_hid("empty report\n"); ret = -1; goto unlock; diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c index 364150435c62..4b3a703f297b 100644 --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -143,10 +143,10 @@ struct i2c_hid { * register of the HID * descriptor. */ unsigned int bufsize; /* i2c buffer size */ - char *inbuf; /* Input buffer */ - char *rawbuf; /* Raw Input buffer */ - char *cmdbuf; /* Command buffer */ - char *argsbuf; /* Command arguments buffer */ + u8 *inbuf; /* Input buffer */ + u8 *rawbuf; /* Raw Input buffer */ + u8 *cmdbuf; /* Command buffer */ + u8 *argsbuf; /* Command arguments buffer */ unsigned long flags; /* device flags */ unsigned long quirks; /* Various quirks */ @@ -468,7 +468,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8; - if (!ret_size) { + if (ret_size <= 2) { /* host or device initiated RESET completed */ if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags)) wake_up(&ihid->wait);
BugLink: https://bugs.launchpad.net/bugs/1741168 Link: https://patchwork.kernel.org/patch/10141099/ When convert char array with signed int, if the inbuf[x] is negative then upper bits will be set to 1. Fix this by using u8 instead of char. ret_size has to be at least 3, hid_input_report use it after minus 2 bytes. size should be more than 0 to keep memset safe. Cc: stable@vger.kernel.org Signed-off-by: Aaron Ma <aaron.ma@canonical.com> --- drivers/hid/hid-core.c | 4 ++-- drivers/hid/i2c-hid/i2c-hid.c | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-)