From 382145beb4a4bb057f17d5b411546b6b56fbacd1 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@hovoldconsulting.com>
Date: Fri, 27 Mar 2015 12:45:47 +0100
Subject: [PATCH] greybus: hid: fix missing input verification of report events

Add minimal verification of incoming report size, before using it to
determine what buffer and size to pass on to HID core.

Add comment about protocol needing to be revisited. If we are going to
be parsing the report data received, then those fields have to be
defined in the Greybus specification at least.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
---
 drivers/staging/greybus/hid.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
index a225813bc477..8e32dfcd1131 100644
--- a/drivers/staging/greybus/hid.c
+++ b/drivers/staging/greybus/hid.c
@@ -168,8 +168,12 @@ static void gb_hid_irq_handler(u8 type, struct gb_operation *op)
 		return;
 	}
 
+	/*
+	 * FIXME: add report size to Greybus HID protocol if we need to parse
+	 *        it here.
+	 */
 	size = request->report[0] | request->report[1] << 8;
-	if (!size) {
+	if (size < 2 || size > op->request->payload_size - 2) {
 		dev_err(&connection->dev, "bad report size: %d\n", size);
 		return;
 	}
-- 
2.11.0