p71924506
/
linux_old1
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

HID: rmi: check that report ids exist in the report_id_hash before accessing their size 

It is possible that the hid-rmi driver could get loaded onto a device which does not have the
expected report ids. This should not happen because it would indicate that the hid-rmi driver is
not compatible with that device. However, if it does happen it should return an error from probe
instead of dereferencing a null pointer.

related bug:
https://bugzilla.kernel.org/show_bug.cgi?id=80091

Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This commit is contained in:
Andrew Duggan 2014-07-17 16:14:44 -07:00 committed by Jiri Kosina
parent 01a5f8a401
commit dd3edeb6a0
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
drivers/hid/hid-rmi.c
View File

@ -848,6 +848,8 @@ static int rmi_probe(struct hid_device *hdev, const struct hid_device_id *id)
struct rmi_data *data = NULL;
int ret;
size_t alloc_size;
struct hid_report *input_report;
struct hid_report *output_report;
data = devm_kzalloc(&hdev->dev, sizeof(struct rmi_data), GFP_KERNEL);
if (!data)
@ -866,12 +868,26 @@ static int rmi_probe(struct hid_device *hdev, const struct hid_device_id *id)
return ret;
}
data->input_report_size = (hdev->report_enum[HID_INPUT_REPORT]
.report_id_hash[RMI_ATTN_REPORT_ID]->size >> 3)
+ 1 /* report id */;
data->output_report_size = (hdev->report_enum[HID_OUTPUT_REPORT]
.report_id_hash[RMI_WRITE_REPORT_ID]->size >> 3)
+ 1 /* report id */;
input_report = hdev->report_enum[HID_INPUT_REPORT]
.report_id_hash[RMI_ATTN_REPORT_ID];
if (!input_report) {
hid_err(hdev, "device does not have expected input report\n");
ret = -ENODEV;
return ret;
}
data->input_report_size = (input_report->size >> 3) + 1 /* report id */;
output_report = hdev->report_enum[HID_OUTPUT_REPORT]
.report_id_hash[RMI_WRITE_REPORT_ID];
if (!output_report) {
hid_err(hdev, "device does not have expected output report\n");
ret = -ENODEV;
return ret;
}
data->output_report_size = (output_report->size >> 3)
+ 1 /* report id */;
alloc_size = data->output_report_size + data->input_report_size;