| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2011 21:41:22 +0200
From: Armando Visconti <armando.visconti@...com>
To: <jkosina@...e.cz>
Cc: <linux-input@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
Armando Visconti <armando.visconti@...com>
Subject: [PATCH] HID: Fixed a crash in hid_report_raw_event() function.
I'm using a Data Modul EasyTouch USB multitouch controller,
which is issuing a hid report with a size equals to 0. The rsize
value gets set to 536870912 and Linux is crashing in the memset
because the value is too big.
Signed-off-by: Armando Visconti <armando.visconti@...com>
---
drivers/hid/hid-core.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index c3d6626..3e972e3 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1045,6 +1045,9 @@ void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
rsize = ((report->size - 1) >> 3) + 1;
+ if (rsize > HID_MAX_BUFFER_SIZE)
+ rsize = HID_MAX_BUFFER_SIZE;
+
if (csize < rsize) {
dbg_hid("report %d is too short, (%d < %d)\n", report->id,
csize, rsize);
--
1.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists