From: Jiri Kosina Date: Wed, 17 Sep 2008 17:41:58 +0000 (+0200) Subject: HID: fix incorrent length condition in hidraw_write() X-Git-Tag: firefly_0821_release~17679^2~16 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=2b107d629dc0c35de606bb7b010b829cd247a93a;p=firefly-linux-kernel-4.4.55.git HID: fix incorrent length condition in hidraw_write() The bound check on the buffer length if (count > HID_MIN_BUFFER_SIZE) is of course incorrent, the proper check is if (count > HID_MAX_BUFFER_SIZE) Fix it. Reported-by: Jerry Ryle Signed-off-by: Jiri Kosina --- diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c index 4be240e74d4f..497e0d1dd3c3 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t if (!dev->hid_output_raw_report) return -ENODEV; - if (count > HID_MIN_BUFFER_SIZE) { + if (count > HID_MAX_BUFFER_SIZE) { printk(KERN_WARNING "hidraw: pid %d passed too large report\n", task_pid_nr(current)); return -EINVAL;