diff options
| author | Greg Kroah-Hartman <gregkh@google.com> | 2017-10-18 09:45:37 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@google.com> | 2017-10-18 09:45:37 +0200 |
| commit | b86d2b14679197d23432f842d478c92f2c59faeb (patch) | |
| tree | 39f81e559f1fbc662ee9d28da2e5e3b90cf711fc /drivers/hid | |
| parent | 5c73594e214f2328112d6ace6098a5a99860ec36 (diff) | |
| parent | 5d7a76acad403638f635c918cc63d1d44ffa4065 (diff) | |
Merge 4.9.57 into android-4.9
Changes in 4.9.57
ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets
CIFS: Reconnect expired SMB sessions
nl80211: Define policy for packet pattern attributes
rcu: Allow for page faults in NMI handlers
USB: dummy-hcd: Fix deadlock caused by disconnect detection
MIPS: math-emu: Remove pr_err() calls from fpu_emu()
dmaengine: edma: Align the memcpy acnt array size with the transfer
dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse
HID: usbhid: fix out-of-bounds bug
crypto: shash - Fix zero-length shash ahash digest crash
KVM: MMU: always terminate page walks at level 1
KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
pinctrl/amd: Fix build dependency on pinmux code
iommu/amd: Finish TLB flush in amd_iommu_unmap()
device property: Track owner device of device property
fs/mpage.c: fix mpage_writepage() for pages with buffers
ALSA: usb-audio: Kill stray URB at exiting
ALSA: seq: Fix use-after-free at creating a port
ALSA: seq: Fix copy_from_user() call inside lock
ALSA: caiaq: Fix stray URB at probe error path
ALSA: line6: Fix missing initialization before error path
ALSA: line6: Fix leftover URB at error-path during probe
drm/i915/edp: Get the Panel Power Off timestamp after panel is off
drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get()
drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel
usb: gadget: configfs: Fix memory leak of interface directory data
usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
direct-io: Prevent NULL pointer access in submit_page_section
fix unbalanced page refcounting in bio_map_user_iov
more bio_map_user_iov() leak fixes
bio_copy_user_iov(): don't ignore ->iov_offset
USB: serial: ftdi_sio: add id for Cypress WICED dev board
USB: serial: cp210x: add support for ELV TFD500
USB: serial: option: add support for TP-Link LTE module
USB: serial: qcserial: add Dell DW5818, DW5819
USB: serial: console: fix use-after-free after failed setup
x86/alternatives: Fix alt_max_short macro to really be a max()
KVM: nVMX: update last_nonleaf_level when initializing nested EPT
Linux 4.9.57
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Diffstat (limited to 'drivers/hid')
| -rw-r--r-- | drivers/hid/usbhid/hid-core.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c index ae83af649a60..7838343eb37c 100644 --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -971,6 +971,8 @@ static int usbhid_parse(struct hid_device *hid) unsigned int rsize = 0; char *rdesc; int ret, n; + int num_descriptors; + size_t offset = offsetof(struct hid_descriptor, desc); quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor), le16_to_cpu(dev->descriptor.idProduct)); @@ -993,10 +995,18 @@ static int usbhid_parse(struct hid_device *hid) return -ENODEV; } + if (hdesc->bLength < sizeof(struct hid_descriptor)) { + dbg_hid("hid descriptor is too short\n"); + return -EINVAL; + } + hid->version = le16_to_cpu(hdesc->bcdHID); hid->country = hdesc->bCountryCode; - for (n = 0; n < hdesc->bNumDescriptors; n++) + num_descriptors = min_t(int, hdesc->bNumDescriptors, + (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor)); + + for (n = 0; n < num_descriptors; n++) if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT) rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength); |