greybus: hid: fix missing input verification of report events

Add minimal verification of incoming report size, before using it to
determine what buffer and size to pass on to HID core.

Add comment about protocol needing to be revisited. If we are going to
be parsing the report data received, then those fields have to be
defined in the Greybus specification at least.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
index a225813bc477bd49fba61304dc157a28c9fc5ee0..8e32dfcd1131c448e0b541a098909224219c56ca 100644 (file)
--- a/drivers/staging/greybus/hid.c
+++ b/drivers/staging/greybus/hid.c
@@ -168,8 +168,12 @@ static void gb_hid_irq_handler(u8 type, struct gb_operation *op)
                return;
        }
 
+       /*
+        * FIXME: add report size to Greybus HID protocol if we need to parse
+        *        it here.
+        */
        size = request->report[0] | request->report[1] << 8;
-       if (!size) {
+       if (size < 2 || size > op->request->payload_size - 2) {
                dev_err(&connection->dev, "bad report size: %d\n", size);
                return;
        }