From: Johan Hovold Date: Fri, 27 Mar 2015 11:45:46 +0000 (+0100) Subject: greybus: hid: fix null-deref on short report requests X-Git-Tag: v4.14-rc1~2366^2~378^2~21^2~1629 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=36257f6b4e7671cb12f98d91a6ffdeabdc254d0c;p=platform%2Fkernel%2Flinux-rpi.git greybus: hid: fix null-deref on short report requests Make sure to verify the length of incoming requests before trying to parse the request buffer, which can even be NULL on empty requests. Signed-off-by: Johan Hovold Reviewed-by: Alex Elder Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c index f0da387..a225813 100644 --- a/drivers/staging/greybus/hid.c +++ b/drivers/staging/greybus/hid.c @@ -163,6 +163,11 @@ static void gb_hid_irq_handler(u8 type, struct gb_operation *op) return; } + if (op->request->payload_size < 2) { + dev_err(&connection->dev, "short report received\n"); + return; + } + size = request->report[0] | request->report[1] << 8; if (!size) { dev_err(&connection->dev, "bad report size: %d\n", size);