From: Andrej Shadura <andrew.shadura@collabora.co.uk>
To: "Jiří Kosina" <jikos@kernel.org>
Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org,
kernel@collabora.com,
Benjamin Tissoires <benjamin.tissoires@gmail.com>
Subject: [PATCH] HID: u2fzero: ignore incomplete packets without data
Date: Thu, 16 Sep 2021 17:33:11 +0100 [thread overview]
Message-ID: <20210916163311.11968-1-andrew.shadura@collabora.co.uk> (raw)
Since the actual_length calculation is performed unsigned, packets
shorter than 7 bytes (e.g. packets without data or otherwise truncated)
or non-received packets ("zero" bytes) can cause buffer overflow.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437
Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG")
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
drivers/hid/hid-u2fzero.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 95e0807878c7..d70cd3d7f583 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
}
ret = u2fzero_recv(dev, &req, &resp);
- if (ret < 0)
+
+ /* ignore errors or packets without data */
+ if (ret < offsetof(struct u2f_hid_msg, init.data))
return 0;
/* only take the minimum amount of data it is safe to take */
--
2.31.1
next reply other threads:[~2021-09-16 18:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-16 16:33 Andrej Shadura [this message]
2021-09-16 17:48 ` [PATCH] HID: u2fzero: ignore incomplete packets without data Andrej Shadura
2021-09-22 7:31 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210916163311.11968-1-andrew.shadura@collabora.co.uk \
--to=andrew.shadura@collabora.co.uk \
--cc=benjamin.tissoires@gmail.com \
--cc=jikos@kernel.org \
--cc=kernel@collabora.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.