From: Dmitry Torokhov Date: Wed, 1 Apr 2026 06:04:13 +0000 (-0700) Subject: HID: core: do not allow parsing 0-sized reports X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=590204185d84635961b0ce2460784749c959a9b4;p=thirdparty%2Fkernel%2Flinux.git HID: core: do not allow parsing 0-sized reports Commit d7db259bd6df ("HID: core: factor out hid_parse_collections()") reworked collection parsing code and inadvertently allowed returning "success" when parsing 0-sized reports where old code returned -EINVAL. Restore the original behavior by doing an explicit check. Note that the error message now differs from the generic "item fetching failed at offset %u/%u" that is now used only for non-empty descriptors. Fixes: d7db259bd6df ("HID: core: factor out hid_parse_collections()") Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina --- diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 49775e3624ef2..61bc42c44909a 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1272,6 +1272,11 @@ static int hid_parse_collections(struct hid_device *device) device->collection[i].parent_idx = -1; ret = -EINVAL; + if (start == end) { + hid_err(device, "rejecting 0-sized report descriptor\n"); + goto out; + } + while ((next = fetch_item(start, end, &item)) != NULL) { start = next;