HID: i2c-hid: allocate hid buffers for real worst case

The buffer allocation is not currently accounting for an extra byte for
the report id. This can cause an out of bounds access in function
i2c_hid_set_or_send_report() with reportID > 15.

Cc: stable@vger.kernel.org
Signed-off-by: Adrian Salido <salidoa@google.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 77396145d2d093af60e44c825ffaabd25f9b68a1..9145c2129a967464e1e7ed8978dbe53c6db9e86e 100644 (file)
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size)
 {
        /* the worst case is computed from the set_report command with a
         * reportID > 15 and the maximum report length */
-       int args_len = sizeof(__u8) + /* optional ReportID byte */
+       int args_len = sizeof(__u8) + /* ReportID */
+                      sizeof(__u8) + /* optional ReportID byte */
                       sizeof(__u16) + /* data register */
                       sizeof(__u16) + /* size of the report */
                       report_size; /* report */