ipts: prevent buffer-overflows by truncating HID reports

linux-surface · Jan 28, 2020 · 8acf3f6 · 8acf3f6
1 parent 44c036b
commit 8acf3f6
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/drivers/misc/ipts/hid.c b/drivers/misc/ipts/hid.c
@@ -303,6 +303,9 @@ int ipts_handle_hid_data(struct ipts_info *ipts,
 
 	switch (raw_header->data_type) {
 	case TOUCH_RAW_DATA_TYPE_HID_REPORT: {
+		if (raw_header->raw_data_size_bytes > HID_MAX_BUFFER_SIZE)
+			raw_header->raw_data_size_bytes = HID_MAX_BUFFER_SIZE;
+
 		memcpy(ipts->hid_input_report, raw_data,
 			raw_header->raw_data_size_bytes);