40 lines
1.4 KiB
Diff
40 lines
1.4 KiB
Diff
From: Seth Forshee <seth.forshee () canonical ! com>
|
|
Date: Fri, 20 Feb 2015 17:45:11 -0500
|
|
Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input
|
|
events
|
|
|
|
d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ)
|
|
changed hid_get_input() to read ihid->bufsize bytes, which can be
|
|
more than wMaxInputLength. This is the case with the Dell XPS 13
|
|
9343, and it is causing events to be missed. In some cases the
|
|
missed events are releases, which can cause the cursor to jump or
|
|
freeze, among other problems. Limit the number of bytes read to
|
|
min(wMaxInputLength, ihid->bufsize) to prevent such problems.
|
|
|
|
Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ"
|
|
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
|
|
---
|
|
drivers/hid/i2c-hid/i2c-hid.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
|
|
index d43e967e7533..5e72fc2428f0 100644
|
|
--- a/drivers/hid/i2c-hid/i2c-hid.c
|
|
+++ b/drivers/hid/i2c-hid/i2c-hid.c
|
|
@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client)
|
|
static void i2c_hid_get_input(struct i2c_hid *ihid)
|
|
{
|
|
int ret, ret_size;
|
|
- int size = ihid->bufsize;
|
|
+ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
|
|
+
|
|
+ if (size > ihid->bufsize)
|
|
+ size = ihid->bufsize;
|
|
|
|
ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
|
|
if (ret != size) {
|
|
--
|
|
2.1.0
|
|
|