From 57d292bd7e6e72898e533687af481603597b1ca7 Mon Sep 17 00:00:00 2001 From: Jiri Kosina Date: Mon, 15 Oct 2007 15:17:41 +0200 Subject: HID: fix HIDIOCGRDESC memory access in hidraw Fix bogus copying of data into userspace when HIDIOCGRDESC is issued. HID-transport layer makes sure that dev->hid->rdesc is not larger than HID_MAX_DESCRIPTOR_SIZE. Noticed-by: Al Viro Signed-off-by: Jiri Kosina Signed-off-by: Linus Torvalds --- drivers/hid/hidraw.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'drivers/hid') diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c index 8503197a8131..a702e2f6da7d 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -229,9 +229,15 @@ static int hidraw_ioctl(struct inode *inode, struct file *file, unsigned int cmd if (get_user(len, (int __user *)arg)) return -EFAULT; - if (copy_to_user(*((__u8 **)(user_arg + - sizeof(__u32))), - dev->hid->rdesc, len)) + + if (len > HID_MAX_DESCRIPTOR_SIZE - 1) + return -EINVAL; + + if (copy_to_user(user_arg + offsetof( + struct hidraw_report_descriptor, + value[0]), + dev->hid->rdesc, + min(dev->hid->rsize, len))) return -EFAULT; return 0; } -- cgit v1.2.1