From: anton Date: Fri, 11 Nov 2022 13:59:40 +0000 (+0000) Subject: ihidev can pass a buffer larger than the size of the claimed input X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=538a0e866115defba8e28dcb263e7982e116901a;p=openbsd ihidev can pass a buffer larger than the size of the claimed input report since it unconditionally uses the size of the longest input report. This is quite harmless and the defensive check in hidcc can therefore be relaxed and instead only examining the number of expected bytes. ok matthieu@ patrick@ --- diff --git a/sys/dev/hid/hidcc.c b/sys/dev/hid/hidcc.c index eb27f0b260c..7ab8c39f30e 100644 --- a/sys/dev/hid/hidcc.c +++ b/sys/dev/hid/hidcc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hidcc.c,v 1.1 2022/11/11 06:46:48 anton Exp $ */ +/* $OpenBSD: hidcc.c,v 1.2 2022/11/11 13:59:40 anton Exp $ */ /* * Copyright (c) 2022 Anton Lindqvist @@ -696,12 +696,8 @@ hidcc_intr(struct hidcc *sc, void *data, u_int len) hidcc_dump(sc, __func__, data, len); - if (len > sc->sc_input.i_bufsiz) { - DPRINTF("%s: too much data: len %d, bufsiz %d\n", DEVNAME(sc), - len, sc->sc_input.i_bufsiz); - return; - } - + if (len > sc->sc_input.i_bufsiz) + len = sc->sc_input.i_bufsiz; error = hidcc_intr_slice(sc, data, buf, &len); if (error) { DPRINTF("%s: slice failure: error %d\n", DEVNAME(sc), error);