Patch "HID: logitech: fix bounds checking on LED report size" has been added to the 3.16-stable tree

Tue, 26 Aug 2014 16:27:06 -0700 

This is a note to let you know that I've just added the patch titled

    HID: logitech: fix bounds checking on LED report size

to the 3.16-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     hid-logitech-fix-bounds-checking-on-led-report-size.patch
and it can be found in the queue-3.16 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 51217e69697fba92a06e07e16f55c9a52d8e8945 Mon Sep 17 00:00:00 2001
From: Jiri Kosina <[email protected]>
Date: Thu, 21 Aug 2014 09:56:47 -0500
Subject: HID: logitech: fix bounds checking on LED report size

From: Jiri Kosina <[email protected]>

commit 51217e69697fba92a06e07e16f55c9a52d8e8945 upstream.

The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request()
is wrong; the current check doesn't make any sense -- the report allocated
by HID core in hid_hw_raw_request() can be much larger than
DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't
handle this properly at all.

Fix the check by actually trimming down the report size properly if it is
too large.

Reported-by: Ben Hawkes <[email protected]>
Reviewed-by: Benjamin Tissoires <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 drivers/hid/hid-logitech-dj.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -557,7 +557,7 @@ static int logi_dj_ll_raw_request(struct
        if (!out_buf)
                return -ENOMEM;
 
-       if (count < DJREPORT_SHORT_LENGTH - 2)
+       if (count > DJREPORT_SHORT_LENGTH - 2)
                count = DJREPORT_SHORT_LENGTH - 2;
 
        out_buf[0] = REPORT_ID_DJ_SHORT;


Patches currently in stable-queue which might be from [email protected] are

queue-3.16/hid-fix-a-couple-of-off-by-ones.patch
queue-3.16/hid-logitech-fix-bounds-checking-on-led-report-size.patch
queue-3.16/hid-logitech-perform-bounds-checking-on-device_id-early-enough.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to