HID: picolcd: sanity check report size in raw_event() callback commit 844817e47eef14141cf59b8d5ac08dd11c0a9189 upstream. The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> [lizf: Backported to 3.4: adjust filename] Signed-off-by: Zefan Li <lizefan@huawei.com>

commit: 3cedf2ece7238feb468cdfc2457b321ce7e994f2 [log] [tgz]
author: Jiri Kosina <jkosina@suse.cz> Wed Aug 27 09:13:15 2014 +0200
committer: chrmhoffmann <chrmhoffmann@gmail.com> Sun Apr 05 10:20:39 2020 +0200
tree: de9f8957105f9bbec25988e2738394cbeecd93ef
parent: aeab631811cb795cc384a3c9bd3346767a0b3daf [diff]
diff --git a/drivers/hid/hid-picolcd.c b/drivers/hid/hid-picolcd.c
index 95f9047..4e37b1f 100644
--- a/drivers/hid/hid-picolcd.c
+++ b/drivers/hid/hid-picolcd.c

@@ -2370,6 +2370,12 @@
 	if (!data)
 		return 1;
 
+	if (size > 64) {
+		hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
+				size);
+		return 0;
+	}
+
 	if (report->id == REPORT_KEY_STATE) {
 		if (data->input_keys)
 			ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
commit	3cedf2ece7238feb468cdfc2457b321ce7e994f2	[log] [tgz]
author	Jiri Kosina <jkosina@suse.cz>	Wed Aug 27 09:13:15 2014 +0200
committer	chrmhoffmann <chrmhoffmann@gmail.com>	Sun Apr 05 10:20:39 2020 +0200
tree	de9f8957105f9bbec25988e2738394cbeecd93ef
parent	aeab631811cb795cc384a3c9bd3346767a0b3daf [diff]