HID: fix HIDIOCGRDESC memory access in hidraw

Fix bogus copying of data into userspace when HIDIOCGRDESC is issued. HID-transport layer makes sure that dev->hid->rdesc is not larger than HID_MAX_DESCRIPTOR_SIZE. Noticed-by: Al Viro <viro@ftp.linux.org.uk> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Jiri Kosina <jkosina@suse.cz> 2007-10-15 15:17:41 +0200
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2007-10-15 08:12:00 -0700
commit: 57d292bd7e6e72898e533687af481603597b1ca7 (patch)
tree: d9594d10bfc843b44eb4ad1b32f945b000330f8c /drivers/hid
parent: 23fd50450a34f2558070ceabb0bfebc1c9604af5 (diff)
download: linux-57d292bd7e6e72898e533687af481603597b1ca7.tar.gz
1 files changed, 9 insertions, 3 deletions
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
index 8503197a8131..a702e2f6da7d 100644
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -229,9 +229,15 @@ static int hidraw_ioctl(struct inode *inode, struct file *file, unsigned int cmd
 
 				if (get_user(len, (int __user *)arg))
 					return -EFAULT;
-				if (copy_to_user(*((__u8 **)(user_arg +
-							sizeof(__u32))),
-							dev->hid->rdesc, len))
+
+				if (len > HID_MAX_DESCRIPTOR_SIZE - 1)
+					return -EINVAL;
+
+				if (copy_to_user(user_arg + offsetof(
+								struct hidraw_report_descriptor,
+								value[0]),
+							dev->hid->rdesc,
+							min(dev->hid->rsize, len)))
 						return -EFAULT;
 				return 0;
 			}
author	Jiri Kosina <jkosina@suse.cz>	2007-10-15 15:17:41 +0200
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2007-10-15 08:12:00 -0700
commit	57d292bd7e6e72898e533687af481603597b1ca7 (patch)
tree	d9594d10bfc843b44eb4ad1b32f945b000330f8c /drivers/hid
parent	23fd50450a34f2558070ceabb0bfebc1c9604af5 (diff)
download	linux-57d292bd7e6e72898e533687af481603597b1ca7.tar.gz