HID: logitech-hidpp: Check bounds when deleting force-feedback effects

Without this bounds check, this might otherwise overwrite index -1.

Triggering this condition requires action both from the USB device and from
userspace, which reduces the scenarios in which it can be exploited.

Cc: Lee Jones <lee@kernel.org>
Signed-off-by: Günther Noack <gnoack@google.com>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 65bfad405ac5b4f38b6534e91d1c7fc283eef5dc..ab5d676cbb029d53bebfb8f5c666293af699678b 100644 (file)
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -2502,12 +2502,15 @@ static void hidpp_ff_work_handler(struct work_struct *w)
                }
                break;
        case HIDPP_FF_DESTROY_EFFECT:
-               if (wd->effect_id >= 0)
-                       /* regular effect destroyed */
-                       data->effect_ids[wd->params[0]-1] = -1;
-               else if (wd->effect_id >= HIDPP_FF_EFFECTID_AUTOCENTER)
-                       /* autocenter spring destroyed */
-                       data->slot_autocenter = 0;
+               slot = wd->params[0];
+               if (slot > 0 && slot <= data->num_effects) {
+                       if (wd->effect_id >= 0)
+                               /* regular effect destroyed */
+                               data->effect_ids[slot-1] = -1;
+                       else if (wd->effect_id >= HIDPP_FF_EFFECTID_AUTOCENTER)
+                               /* autocenter spring destroyed */
+                               data->slot_autocenter = 0;
+               }
                break;
        case HIDPP_FF_SET_GLOBAL_GAINS:
                data->gain = (wd->params[0] << 8) + wd->params[1];