]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4f5cac9) | patch
HID: cp2112: prevent a buffer overflow in cp2112_xfer()
authorHarshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Wed, 8 Jun 2022 12:26:09 +0000 (05:26 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 17 Aug 2022 12:23:40 +0000 (14:23 +0200)
commit7a0340aac0204135f9a98806069381fe2d1fff40
tree3ce185882350b163f547bcb3557b8eb0b4fb70dbtree | snapshot
parent4f5cac9583e2f0317cb3e6a63e98870579e15be7commit | diff
HID: cp2112: prevent a buffer overflow in cp2112_xfer()

[ Upstream commit cccca11076db996f62cdfb6ab3b5f661e60b0216 ]

Smatch warnings:
drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy()
'data->block[1]' too small (33 vs 255)
drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too
small (64 vs 255)

The 'read_length' variable is provided by 'data->block[0]' which comes
from user and it(read_length) can take a value between 0-255. Add an
upper bound to 'read_length' variable to prevent a buffer overflow in
memcpy().

Fixes: 73c1d83d8ef9 ("HID: cp2112: Fix I2C_BLOCK_DATA transactions")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/hid/hid-cp2112.c diff | blob | history
Linux Kernel Source Tree.