HID: Fix slab-out-of-bounds read in hid_field_extract

[sfrench/cifs-2.6.git] / drivers / hid / hid-core.c

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index e0b241bd3070c5a15e9ac90ecc81573aad6452ec..851fe54ea59e7c2636ab204372c49b749a136014 100644 (file)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -288,6 +288,12 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
        offset = report->size;
        report->size += parser->global.report_size * parser->global.report_count;
 
+       /* Total size check: Allow for possible report index byte */
+       if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
+               hid_err(parser->device, "report is too long\n");
+               return -1;
+       }
+
        if (!parser->local.usage_index) /* Ignore padding fields */
                return 0;