From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com [209.85.210.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30731333447 for ; Sat, 28 Feb 2026 17:27:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.196 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772299664; cv=none; b=K2cCDLe2QixOnaetT7S2KntgWTlugi+OmopLmtyJvDg/jNHW14rkyg5JS9oe2TwITbaYqguldBC2IKk+kvtM1s28pvMFZsfQPEHLNs8mBuIW3uHR8ycYwROy2uGdlqEsGFwWMwQDXef7jkMqcrAcd4GQZVgllUfwS4i876rTCx8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772299664; c=relaxed/simple; bh=MK97o0XNN84za3Yqhl3sOHyq/paZ3xuy1SRzaPhHO4g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AVZxdTYX6Q4zYYMUHe9NwlAVzzoisy9rfZVdlZpE2omr9hrVnYr2bcpavqfC4WRZxmesTHGNYpHjSEHivmKcPtjYOKoSdhXzi+IKBOfELaZkFZQXNgEl1H4QY1TrHWUkwwfctE5jrPtnhsTYBQuLcMGNHgqyzNDumG9TtWCaJgE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dGTznkP7; arc=none smtp.client-ip=209.85.210.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dGTznkP7" Received: by mail-pf1-f196.google.com with SMTP id d2e1a72fcca58-82747396358so1380225b3a.0 for ; Sat, 28 Feb 2026 09:27:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772299661; x=1772904461; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Qm5fMedlqYlq4YrH3Ah2187clARA0KM+24lg+ENYR/I=; b=dGTznkP7L/Z00QSbHu+Jj2tkxTYAqWfY7XK3Y/c7wexVJIIGqYO+L7j+6ysQyF77x2 O+3IiAozCDv0LeWfV9wahC2Sr2Mg0c0Vj2s50LMiyvllOyWndr1vMNnCoClkmekOrF0V 53ITCqWGyF/ADja4XMSrPJhyWsMHZI+4pQYNDikXlHIwJWYBkDlRIyx1f9mfuNHq7Xv+ eM3Kl7esIUqj+Rb3ucBAHM4mGD71VMHAcn6vqwvjPt2gd/VmBSdIS6r0ohXzNySnL4bp z/bLTK3xvdxuZrIeavIU3O9BLXxLz3p0YkwMPm/eVSm+M3IZmUePYp+1GUsJeQKPj4eg K1XA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772299661; x=1772904461; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Qm5fMedlqYlq4YrH3Ah2187clARA0KM+24lg+ENYR/I=; b=gHY0Pbsn6Vg8B/FQU4jMEKsWXQZtrV+HEy7t/T3ud01NLbn2ZZoYGnX35KLhIby6CQ M2UfF5knQmHTsDn2HXDoS4/td9Y01Ck0Wr4/MX1doFXMpwpTClGtl8+g3+qZkf5PsKmy ZWoArltJnivYn0Y60cRoRFUN3hhsPEocq5Ch6xpgGVmh88XTHpoEGk0Sy/c+ZhzoFnFs OtBNj4lxk7a+zy6tP2rv44CJ8/ZkDOQBTt553ioQ6AS0L4TMFxfMRx4qdCvZ854TW/vf hRW4SzP+KVHAJAImvL7UdPHwCDaeSMQgH7hwQnxKnvAM6F9acFk4bRb7lMA7OVzLB9dC GyxQ== X-Forwarded-Encrypted: i=1; AJvYcCWYTldaG/sSSUatbgYrddts1wp3lW/gDLP6FCZiKodyxJY0n9oOqKVfk1maCHO8atFrHtR0glREfF+Bv9c=@vger.kernel.org X-Gm-Message-State: AOJu0Yx7mroD/WY8Gp12giR8vR/KDS946iiklG95YXJXqTCk9aSniaF5 S1rHd5JE8wZcCENkcYkeVx/jOeN12U2XMrm6fruxH0sqzWy1UhCntfzWNgnM+T7q5aG5Yg== X-Gm-Gg: ATEYQzxA1sjQq7Phh6vURsUUAd2FmhKzlQYox4of0FoMGsTV08nPD4FON3vV6+xQwS2 7V01WdNBgqTaQKTBXH5GJwJfYnzjsmVfxrCMlRbQrGlde8VewMghnEmEsJ3QVEoV9kgkkqf/VKu nxKamBJJGdNzHVBmIPX2uOmy65cMDP2LcKbEEPJRuKcw/zBPEecZWvwR63lWpy4ZtrhOSUiuqMK KKP68/R6rnOseIQEw5yzfFq13moc6e7CghsakDDTtGJBN7osa41WRKsknQwC18xv8WGwJxHmEbS rvdXPVNXf/lyaeZX1Ut0QtWgr9WkYw+agQx5OPqpFUmnaEENaa8JWBU32jba7vKTbLlqhdvVwlq qTwltNUMCOGnyZjIJEgFYW8InPSACCfxUGoARa1m6mF+5Gx3wCcvHfqMXTeu5ElFQ/Vut5XwSIj CSXybHtADx6bJFrIuE9iezZsvS4OUTCcH1bfeq96RAaiW53rQQBO67VHTQqG0P9hUzfZ1lHQ== X-Received: by 2002:a05:6a00:2d84:b0:7f7:2f82:9904 with SMTP id d2e1a72fcca58-8274d93366emr7021390b3a.5.1772299661274; Sat, 28 Feb 2026 09:27:41 -0800 (PST) Received: from localhost.localdomain ([138.199.21.245]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82739d4dc6dsm8678289b3a.6.2026.02.28.09.27.37 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Sat, 28 Feb 2026 09:27:39 -0800 (PST) From: Eric-Terminal To: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, Yufan Chen Subject: [PATCH v2] Bluetooth: HIDP: cap report descriptor size in HID setup Date: Sun, 1 Mar 2026 01:26:57 +0800 Message-ID: <20260228172657.53040-1-ericterminal@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1352; i=ericterminal@gmail.com; h=from:subject; bh=A7GL+k99vFDW3xabOAkcMVC5EDRSrF16Tzq5tcpWDdA=; b=owGbwMvMwCXWM/dCzeS3H+sZT6slMWQuVvnvtuHkuePNx9Yrnxc/8NZi6hNf2fQLli3u1issJ 5vyr7Js6ChlYRDjYpAVU2S5+3/f3FyvW3Oucx/OhZnDygQyhIGLUwAmohHO8N8ryP2NxD3VQ3YV T+WiNp5s7tvcVdOhnMhn+eS81nTDB+UM/4uKN+nwxH+zbvryarmvwbbOo1I51Y6HirxfzlBP060 N4wUA X-Developer-Key: i=ericterminal@gmail.com; a=openpgp; fpr=DDFFBE9D6D4ADA9CD70BC36D8C9DD07C93EDF17F Content-Transfer-Encoding: 8bit From: Yufan Chen hidp_setup_hid() duplicates the report descriptor from userspace based on req->rd_size. Large values can trigger oversized copies. Do not reject the connection when rd_size exceeds HID_MAX_DESCRIPTOR_SIZE. Instead, cap rd_size in hidp_setup_hid() and use the capped value for memdup_user() and session->rd_size. This keeps compatibility with existing userspace behavior while bounding memory usage in the HID setup path. Signed-off-by: Yufan Chen --- net/bluetooth/hidp/core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 6fe815241..31aeffa39 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -755,13 +755,16 @@ static int hidp_setup_hid(struct hidp_session *session, const struct hidp_connadd_req *req) { struct hid_device *hid; + unsigned int rd_size; int err; - session->rd_data = memdup_user(req->rd_data, req->rd_size); + rd_size = min_t(unsigned int, req->rd_size, HID_MAX_DESCRIPTOR_SIZE); + + session->rd_data = memdup_user(req->rd_data, rd_size); if (IS_ERR(session->rd_data)) return PTR_ERR(session->rd_data); - session->rd_size = req->rd_size; + session->rd_size = rd_size; hid = hid_allocate_device(); if (IS_ERR(hid)) { -- 2.47.3