Commit 2b107d62 authored by Jiri Kosina's avatar Jiri Kosina
Browse files

HID: fix incorrent length condition in hidraw_write()



The bound check on the buffer length

	if (count > HID_MIN_BUFFER_SIZE)

is of course incorrent, the proper check is

	if (count > HID_MAX_BUFFER_SIZE)

Fix it.
Reported-by: default avatarJerry Ryle <jerry@mindtribe.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent d92870dd
......@@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t
if (!dev->hid_output_raw_report)
return -ENODEV;
if (count > HID_MIN_BUFFER_SIZE) {
if (count > HID_MAX_BUFFER_SIZE) {
printk(KERN_WARNING "hidraw: pid %d passed too large report\n",
task_pid_nr(current));
return -EINVAL;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment