commit 5abb9cd4ff92c03410679842ba0cf9be4162873b
author Adrian Salido <salidoa@google.com> Fri Sep 08 10:55:27 2017 -0700
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org> Thu Oct 12 11:51:24 2017 +0200
tree b578e5541ebe38c6f024ad230bfd110b9234709c
parent a3ec104976f799808c2c1d8b32005c67b0037adb

HID: i2c-hid: allocate hid buffers for real worst case

commit 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b upstream.

The buffer allocation is not currently accounting for an extra byte for
the report id. This can cause an out of bounds access in function
i2c_hid_set_or_send_report() with reportID > 15.

Signed-off-by: Adrian Salido <salidoa@google.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>