HID: sony: add missing size validation for SMK-Link remotes

This commit adds the missing size validation for SMK-Link remotes in
sony_raw_event(), this prevents a malicious device from allowing
hid-sony to read out of bounds of the provided buffer.

I do not own these devices so the size check only forces that the buffer
is large enough for nsg_mrxu_parse_report().

Signed-off-by: Rosalie Wanders <rosalie@mailbox.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
index 6a860b9ef677a281b3ceb4f702671bc1d0ab5844..13fe7a3e57d736685d449ba88526dd71a38615bf 100644 (file)
--- a/drivers/hid/hid-sony.c
+++ b/drivers/hid/hid-sony.c
@@ -1169,10 +1169,9 @@ static int sony_raw_event(struct hid_device *hdev, struct hid_report *report,
                sixaxis_parse_report(sc, rd, size);
        } else if ((sc->quirks & MOTION_CONTROLLER_BT) && rd[0] == 0x01 && size == 49) {
                sixaxis_parse_report(sc, rd, size);
-       } else if ((sc->quirks & NAVIGATION_CONTROLLER) && rd[0] == 0x01 &&
-                       size == 49) {
+       } else if ((sc->quirks & NAVIGATION_CONTROLLER) && rd[0] == 0x01 && size == 49) {
                sixaxis_parse_report(sc, rd, size);
-       } else if ((sc->quirks & NSG_MRXU_REMOTE) && rd[0] == 0x02) {
+       } else if ((sc->quirks & NSG_MRXU_REMOTE) && rd[0] == 0x02 && size >= 12) {
                nsg_mrxu_parse_report(sc, rd, size);
                return 1;
        } else if ((sc->quirks & RB4_GUITAR_PS4_USB) && rd[0] == 0x01 && size == 64) {