From patchwork Thu Jan 12 17:17:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 9513693 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id ADE11601E5 for ; Thu, 12 Jan 2017 17:38:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A311C286C7 for ; Thu, 12 Jan 2017 17:38:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 978A6286D2; Thu, 12 Jan 2017 17:38:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F059286C7 for ; Thu, 12 Jan 2017 17:38:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751099AbdALRTx (ORCPT ); Thu, 12 Jan 2017 12:19:53 -0500 Received: from mail-lf0-f68.google.com ([209.85.215.68]:33512 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751008AbdALRS3 (ORCPT ); Thu, 12 Jan 2017 12:18:29 -0500 Received: by mail-lf0-f68.google.com with SMTP id k62so2808760lfg.0; Thu, 12 Jan 2017 09:17:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=zWmRY/winwfqfCHlvLFo2C6GezL7NxCET8G9zNMdGcA=; b=Rf4w79UEY3K8bdt7G989hZJTJYIpRZ7Ww6fegn/dmb3gYcexxYuE4GnpWayNJiDpd0 Yn0FAfCjDi6OWxm6fLPJFnZlelC7uOFwuTsdDlEMCqLzGxN/XVptmhRgZrkdNxPFCqVH lrZ/C7GeNvU8Mmy/NaPwaYydVX4YOv10qz4FIKYQIIWFOvhW9lf/WtVGSO//J0hzXS7A zO2FcizoquGrtPQ3nxeRGYHMa8REjFSAdpXRSsdpR5RemXz66qnQEEUO+iy+lK3ZEV4L 8vd5LL0h0I9/V4mew8XJlFj4VXJYTZ1S5ykpAMO4HgPu5AJs4C2VffSARuY3bNyPRWUh DhTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=zWmRY/winwfqfCHlvLFo2C6GezL7NxCET8G9zNMdGcA=; b=q7P6HM+qbovOfks0+PTURF8FMGLvnoHE8Vy8eBz3QfX7w7xI31S+077WqD0XuI9guP 5VY9NHh17i/CpP6F1EksrRb2ZynEGtZE2uVoP/3ZVdukqv6wEn8SUeU3fH0r9s+ZDErE 8DHF5Wq4Xhf/lKjCp4WYtHGDcsdsWbaCp8VROVexJEXmLsviDeAZhkldLrH+daq/+4hZ Z4pRagdQAPxws9wzoCmI/pG5Rfv4I0AHMnqIwjGWfn5D6EET/a/Bfkq1g9IJlxrPUcO6 vSRnLnlkr51VwdQMdzPwqO07UGGTb2SQPAn2O8kY7VN7dYhm25gzQ3ojbMKPRGp4zbGl zG+A== X-Gm-Message-State: AIkVDXJ1dNY+hZPfzMNyiUIg+35K9mKQA9kC2ErlraEv6lIdzQiKJAyzhpwFY7Z4wRdphw== X-Received: by 10.25.211.134 with SMTP id k128mr6245550lfg.118.1484241478946; Thu, 12 Jan 2017 09:17:58 -0800 (PST) Received: from xi.terra (c-04aadb54.07-184-6d6c6d4.cust.bredbandsbolaget.se. [84.219.170.4]) by smtp.gmail.com with ESMTPSA id v9sm2531952lja.0.2017.01.12.09.17.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Jan 2017 09:17:57 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.88) (envelope-from ) id 1cRj0h-0001ZA-8F; Thu, 12 Jan 2017 18:17:59 +0100 From: Johan Hovold To: Jiri Kosina Cc: Benjamin Tissoires , linux-input@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable Subject: [PATCH 2/2] HID: corsair: fix control-transfer error handling Date: Thu, 12 Jan 2017 18:17:43 +0100 Message-Id: <20170112171743.5972-3-johan@kernel.org> X-Mailer: git-send-email 2.10.2 In-Reply-To: <20170112171743.5972-1-johan@kernel.org> References: <20170112171743.5972-1-johan@kernel.org> Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Make sure to check for short control transfers in order to avoid parsing uninitialised buffer data and leaking it to user space. Note that the backlight and macro-mode buffer constraints are kept as loose as possible in order to avoid any regressions should the current buffer sizes be larger than necessary. Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver") Cc: stable Signed-off-by: Johan Hovold --- drivers/hid/hid-corsair.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/hid/hid-corsair.c b/drivers/hid/hid-corsair.c index 5971907a23b1..c0303f61c26a 100644 --- a/drivers/hid/hid-corsair.c +++ b/drivers/hid/hid-corsair.c @@ -159,7 +159,7 @@ static enum led_brightness k90_backlight_get(struct led_classdev *led_cdev) USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, 0, 0, data, 8, USB_CTRL_SET_TIMEOUT); - if (ret < 0) { + if (ret < 5) { dev_warn(dev, "Failed to get K90 initial state (error %d).\n", ret); ret = -EIO; @@ -274,7 +274,7 @@ static ssize_t k90_show_macro_mode(struct device *dev, USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, 0, 0, data, 2, USB_CTRL_SET_TIMEOUT); - if (ret < 0) { + if (ret < 1) { dev_warn(dev, "Failed to get K90 initial mode (error %d).\n", ret); ret = -EIO; @@ -351,7 +351,7 @@ static ssize_t k90_show_current_profile(struct device *dev, USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, 0, 0, data, 8, USB_CTRL_SET_TIMEOUT); - if (ret < 0) { + if (ret < 8) { dev_warn(dev, "Failed to get K90 initial state (error %d).\n", ret); ret = -EIO;