releases/3.18.3/hid-i2c-hid-prevent-buffer-overflow-in-early-irq.patch

   1 From d1c7e29e8d276c669e8790bb8be9f505ddc48888 Mon Sep 17 00:00:00 2001
   2 From: Gwendal Grignou <gwendal@chromium.org>
   3 Date: Thu, 11 Dec 2014 16:02:45 -0800
   4 Subject: HID: i2c-hid: prevent buffer overflow in early IRQ
   5
   6 From: Gwendal Grignou <gwendal@chromium.org>
   7
   8 commit d1c7e29e8d276c669e8790bb8be9f505ddc48888 upstream.
   9
  10 Before ->start() is called, bufsize size is set to HID_MIN_BUFFER_SIZE,
  11 64 bytes. While processing the IRQ, we were asking to receive up to
  12 wMaxInputLength bytes, which can be bigger than 64 bytes.
  13
  14 Later, when ->start is run, a proper bufsize will be calculated.
  15
  16 Given wMaxInputLength is said to be unreliable in other part of the
  17 code, set to receive only what we can even if it results in truncated
  18 reports.
  19
  20 Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
  21 Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
  22 Signed-off-by: Jiri Kosina <jkosina@suse.cz>
  23 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  24
  25 ---
  26  drivers/hid/i2c-hid/i2c-hid.c |    2 +-
  27  1 file changed, 1 insertion(+), 1 deletion(-)
  28
  29 --- a/drivers/hid/i2c-hid/i2c-hid.c
  30 +++ b/drivers/hid/i2c-hid/i2c-hid.c
  31 @@ -370,7 +370,7 @@ static int i2c_hid_hwreset(struct i2c_cl
  32  static void i2c_hid_get_input(struct i2c_hid *ihid)
  33  {
  34         int ret, ret_size;
  35 -       int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
  36 +       int size = ihid->bufsize;
  37
  38         ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
  39         if (ret != size) {