HID: i2c-hid: allocate hid buffers for real worst case

The buffer allocation is not currently accounting for an extra byte for the report id. This can cause an out of bounds access in function i2c_hid_set_or_send_report() with reportID > 15. Cc: stable@vger.kernel.org Signed-off-by: Adrian Salido <salidoa@google.com> Reviewed-by: Benson Leung <bleung@chromium.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>

HID: i2c-hid: allocate hid buffers for real worst case
The buffer allocation is not currently accounting for an extra byte for the report id. This can cause an out of bounds access in function i2c_hid_set_or_send_report() with reportID > 15. Cc: stable@vger.kernel.org Signed-off-by: Adrian Salido <salidoa@google.com> Reviewed-by: Benson Leung <bleung@chromium.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
8320caee · Adrian Salido · Jiri Kosina · cac72b99 · 8320caee
Commit 8320caee authored Sep 08, 2017 by Adrian Salido Committed by Jiri Kosina Sep 13, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/hid/i2c-hid/i2c-hid.c drivers/hid/i2c-hid/i2c-hid.c +2 -1

No files found.
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size)
 {
 	/* the worst case is computed from the set_report command with a
 	 * reportID > 15 and the maximum report length */
-	int args_len = sizeof(__u8) + /* optional ReportID byte */
+	int args_len = sizeof(__u8) + /* ReportID */
+		       sizeof(__u8) + /* optional ReportID byte */
 		       sizeof(__u16) + /* data register */
 		       sizeof(__u16) + /* size of the report */
 		       report_size; /* report */