psize is built from the first two bytes read from the device, but it
could be completely bogus, especially when polling. This can result
in a panic when reading p.
Promote it to a signed int to catch it going negative and discard it
if it's 2 or less, because shortly after it is decreased by 2 or 3.
Index: sys/dev/i2c/ihidev.c
===================================================================
RCS file: /cvs/src/sys/dev/i2c/ihidev.c,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 ihidev.c
--- sys/dev/i2c/ihidev.c 20 Sep 2018 01:19:56 -0000 1.18
+++ sys/dev/i2c/ihidev.c 8 Apr 2019 14:42:53 -0000
@@ -585,8 +585,7 @@ ihidev_intr(void *arg)
{
struct ihidev_softc *sc = arg;
struct ihidev *scd;
- u_int psize;
- int res, i, fast = 0;
+ int psize, res, i, fast = 0;
u_char *p;
u_int rep = 0;
@@ -605,7 +604,7 @@ ihidev_intr(void *arg)
* than or equal to wMaxInputLength
*/
psize = sc->sc_ibuf[0] | sc->sc_ibuf[1] << 8;
- if (!psize || psize > sc->sc_isize) {
+ if (psize <= 2 || psize > sc->sc_isize) {
if (sc->sc_poll) {
/*
* TODO: all fingers are up, should we pass to hid
