| Message ID | 1354716176-12558-5-git-send-email-benjamin.tissoires@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Jiri Kosina |
| Headers | show |
On Wed, 5 Dec 2012 15:02:56 +0100, Benjamin Tissoires wrote: > The previous memcpy implementation relied on the size advertized by the > device. There were no guarantees that buf was big enough. > > Some gymnastic is also required with the +2/-2 to take into account > the first 2 bytes of the returned buffer where the total returned > length is supplied by the device. > > Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> > --- > drivers/hid/i2c-hid/i2c-hid.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c > index c6630d4..ce01d59 100644 > --- a/drivers/hid/i2c-hid/i2c-hid.c > +++ b/drivers/hid/i2c-hid/i2c-hid.c > @@ -502,23 +502,31 @@ static int i2c_hid_get_raw_report(struct hid_device *hid, > { > struct i2c_client *client = hid->driver_data; > struct i2c_hid *ihid = i2c_get_clientdata(client); > + size_t ret_count, ask_count; > int ret; > > if (report_type == HID_OUTPUT_REPORT) > return -EINVAL; > > - if (count > ihid->bufsize) > - count = ihid->bufsize; > + /* +2 bytes to include the size of the reply in the query buffer */ > + ask_count = min(count + 2, (size_t)ihid->bufsize); > > ret = i2c_hid_get_report(client, > report_type == HID_FEATURE_REPORT ? 0x03 : 0x01, > - report_number, ihid->inbuf, count); > + report_number, ihid->inbuf, ask_count); > > if (ret < 0) > return ret; > > - count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); > + ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); > > + if (!ret_count) I'd make this (ret_count <= 2), as this would let you call memcpy with a null or even negative length. Other than that, the new code looks OK and safe. > + return 0; > + > + ret_count = min(ret_count, ask_count); > + > + /* The query buffer contains the size, dropping it in the reply */ > + count = min(count, ret_count - 2); > memcpy(buf, ihid->inbuf + 2, count); > > return count;
On Wed, 5 Dec 2012, Jean Delvare wrote: > > The previous memcpy implementation relied on the size advertized by the > > device. There were no guarantees that buf was big enough. > > > > Some gymnastic is also required with the +2/-2 to take into account > > the first 2 bytes of the returned buffer where the total returned > > length is supplied by the device. > > > > Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> > > --- > > drivers/hid/i2c-hid/i2c-hid.c | 16 ++++++++++++---- > > 1 file changed, 12 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c > > index c6630d4..ce01d59 100644 > > --- a/drivers/hid/i2c-hid/i2c-hid.c > > +++ b/drivers/hid/i2c-hid/i2c-hid.c > > @@ -502,23 +502,31 @@ static int i2c_hid_get_raw_report(struct hid_device *hid, > > { > > struct i2c_client *client = hid->driver_data; > > struct i2c_hid *ihid = i2c_get_clientdata(client); > > + size_t ret_count, ask_count; > > int ret; > > > > if (report_type == HID_OUTPUT_REPORT) > > return -EINVAL; > > > > - if (count > ihid->bufsize) > > - count = ihid->bufsize; > > + /* +2 bytes to include the size of the reply in the query buffer */ > > + ask_count = min(count + 2, (size_t)ihid->bufsize); > > > > ret = i2c_hid_get_report(client, > > report_type == HID_FEATURE_REPORT ? 0x03 : 0x01, > > - report_number, ihid->inbuf, count); > > + report_number, ihid->inbuf, ask_count); > > > > if (ret < 0) > > return ret; > > > > - count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); > > + ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); > > > > + if (!ret_count) > > I'd make this (ret_count <= 2), as this would let you call memcpy with a > null or even negative length. Good catch, it doesn't account for the 2 bytes needed for storing the reply size. I have fixed that and applied the patch, thanks everybody!
On Thu, Dec 6, 2012 at 11:01 AM, Jiri Kosina <jkosina@suse.cz> wrote: >> > - count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); >> > + ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); >> > >> > + if (!ret_count) >> >> I'd make this (ret_count <= 2), as this would let you call memcpy with a >> null or even negative length. > > Good catch, it doesn't account for the 2 bytes needed for storing the > reply size. > > I have fixed that and applied the patch, thanks everybody! > Hi Jiri, Jean, thank you very much for the work done. I was in a meeting past two days, so I was not able to answer sooner. Cheers, Benjamin -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c index c6630d4..ce01d59 100644 --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -502,23 +502,31 @@ static int i2c_hid_get_raw_report(struct hid_device *hid, { struct i2c_client *client = hid->driver_data; struct i2c_hid *ihid = i2c_get_clientdata(client); + size_t ret_count, ask_count; int ret; if (report_type == HID_OUTPUT_REPORT) return -EINVAL; - if (count > ihid->bufsize) - count = ihid->bufsize; + /* +2 bytes to include the size of the reply in the query buffer */ + ask_count = min(count + 2, (size_t)ihid->bufsize); ret = i2c_hid_get_report(client, report_type == HID_FEATURE_REPORT ? 0x03 : 0x01, - report_number, ihid->inbuf, count); + report_number, ihid->inbuf, ask_count); if (ret < 0) return ret; - count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); + ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8); + if (!ret_count) + return 0; + + ret_count = min(ret_count, ask_count); + + /* The query buffer contains the size, dropping it in the reply */ + count = min(count, ret_count - 2); memcpy(buf, ihid->inbuf + 2, count); return count;
The previous memcpy implementation relied on the size advertized by the device. There were no guarantees that buf was big enough. Some gymnastic is also required with the +2/-2 to take into account the first 2 bytes of the returned buffer where the total returned length is supplied by the device. Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> --- drivers/hid/i2c-hid/i2c-hid.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-)