From: Marcus Folkesson <marcus.folkesson@gmail.com>
To: Aaron Ma <aaron.ma@canonical.com>
Cc: linux-kernel@vger.kernel.org, linux-input@vger.kernel.org,
jikos@kernel.org, benjamin.tissoires@redhat.com
Subject: Re: [PATCH 1/2] HID: core: i2c-hid: fix size check and type usage
Date: Sat, 3 Feb 2018 09:36:51 +0100 [thread overview]
Message-ID: <20180203083651.GB707@gmail.com> (raw)
In-Reply-To: <20180102173006.506-1-aaron.ma@canonical.com>
[-- Attachment #1: Type: text/plain, Size: 2918 bytes --]
Hi Aaron,
On Wed, Jan 03, 2018 at 01:30:05AM +0800, Aaron Ma wrote:
> When convert char array with signed int, if the inbuf[x] is negative then
> upper bits will be set to 1. Fix this by using u8 instead of char.
>
> ret_size has to be at least 3, hid_input_report use it after minus 2 bytes.
At least 2?
hid_input_report() checks (!size)
>
> size should be more than 0 to keep memset safe.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
> ---
> drivers/hid/hid-core.c | 4 ++--
> drivers/hid/i2c-hid/i2c-hid.c | 10 +++++-----
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 0c3f608131cf..992547771d96 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -1506,7 +1506,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
> if (rsize > HID_MAX_BUFFER_SIZE)
> rsize = HID_MAX_BUFFER_SIZE;
>
> - if (csize < rsize) {
> + if ((csize < rsize) && (csize > 0)) {
> dbg_hid("report %d is too short, (%d < %d)\n", report->id,
> csize, rsize);
> memset(cdata + csize, 0, rsize - csize);
> @@ -1566,7 +1566,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int i
> report_enum = hid->report_enum + type;
> hdrv = hid->driver;
>
> - if (!size) {
> + if (size <= 0) {
All code that is using hid_input_report() seems to check that no
negative size is provided.
If we want this check, maybe we should consider making size unsigned
instead?
> dbg_hid("empty report\n");
> ret = -1;
> goto unlock;
> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> index e054ee43c1e2..09404ffdb08b 100644
> --- a/drivers/hid/i2c-hid/i2c-hid.c
> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> @@ -144,10 +144,10 @@ struct i2c_hid {
> * register of the HID
> * descriptor. */
> unsigned int bufsize; /* i2c buffer size */
> - char *inbuf; /* Input buffer */
> - char *rawbuf; /* Raw Input buffer */
> - char *cmdbuf; /* Command buffer */
> - char *argsbuf; /* Command arguments buffer */
> + u8 *inbuf; /* Input buffer */
> + u8 *rawbuf; /* Raw Input buffer */
> + u8 *cmdbuf; /* Command buffer */
> + u8 *argsbuf; /* Command arguments buffer */
Looks good
>
> unsigned long flags; /* device flags */
> unsigned long quirks; /* Various quirks */
> @@ -473,7 +473,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
>
> ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8;
>
> - if (!ret_size) {
> + if (ret_size <= 2) {
if (ret_size < 2) ?
> /* host or device initiated RESET completed */
> if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags))
> wake_up(&ihid->wait);
> --
> 2.14.3
Best regards
Marcus Folkesson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2018-02-03 8:36 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-02 17:30 [PATCH 1/2] HID: core: i2c-hid: fix size check and type usage Aaron Ma
2018-01-02 17:30 ` [PATCH 2/2] HID: i2c-hid: Fix resume issue on Raydium touchscreen device Aaron Ma
2018-01-04 10:34 ` Benjamin Tissoires
2018-01-04 12:56 ` Aaron Ma
2018-02-03 3:59 ` Aaron Ma
2018-04-03 9:16 ` Aaron Ma
2018-04-09 7:29 ` Jiri Kosina
2018-04-09 7:31 ` Aaron Ma
2018-01-04 10:44 ` [PATCH 1/2] HID: core: i2c-hid: fix size check and type usage Benjamin Tissoires
2018-01-04 12:58 ` Aaron Ma
2018-02-03 8:36 ` Marcus Folkesson [this message]
2018-02-03 14:17 ` Aaron Ma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180203083651.GB707@gmail.com \
--to=marcus.folkesson@gmail.com \
--cc=aaron.ma@canonical.com \
--cc=benjamin.tissoires@redhat.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.