From 27174cff8fcfcb3a60a3e7225cc627f6a4b7f827 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires Date: Wed, 5 Dec 2012 15:02:53 +0100 Subject: [PATCH] HID: i2c-hid: fix memory corruption due to missing hid declaration HID descriptors contains 4 bytes of reserved field. The previous implementation was overriding the next fields in struct i2c_hid. Signed-off-by: Benjamin Tissoires Reviewed-by: Jean Delvare Signed-off-by: Jiri Kosina --- drivers/hid/i2c-hid/i2c-hid.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c index 7062df21da52..34cca428a6a9 100644 --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -69,6 +69,7 @@ struct i2c_hid_desc { __le16 wVendorID; __le16 wProductID; __le16 wVersionID; + __le32 reserved; } __packed; struct i2c_hid_cmd { @@ -776,7 +777,13 @@ static int __devinit i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid) } dsize = le16_to_cpu(hdesc->wHIDDescLength); - if (!dsize || dsize > HID_MAX_DESCRIPTOR_SIZE) { + /* + * the size of the HID descriptor should at least contain + * its size and the bcdVersion (4 bytes), and should not be greater + * than sizeof(struct i2c_hid_desc) as we directly fill this struct + * through i2c_hid_command. + */ + if (dsize < 4 || dsize > sizeof(struct i2c_hid_desc)) { dev_err(&client->dev, "weird size of HID descriptor (%u)\n", dsize); return -ENODEV; -- 2.20.1