HID: hid-logitech-dj: fix off by one

There is a bug where a device with index 6 would write out of bounds in the array of paired devices. This patch fixes that problem. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> Reviewed-by: Olivier Gay <ogay@logitech.com> Signed-off-by: Nestor Lopez Casado <nlopezcasad@logitech.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>

HID: hid-logitech-dj: fix off by one
There is a bug where a device with index 6 would write out of bounds in the array of paired devices. This patch fixes that problem. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> Reviewed-by: Olivier Gay <ogay@logitech.com> Signed-off-by: Nestor Lopez Casado <nlopezcasad@logitech.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Nestor Lopez Casado · Jiri Kosina
1 parent 534a7b8e10
Showing 2 changed files with 5 additions and 5 deletions Side-by-side Diff
drivers/hid/hid-logitech-dj.c
drivers/hid/hid-logitech-dj.h
@@ -179,9 +179,6 @@
  
 #define LOGITECH_DJ_INTERFACE_NUMBER 0x02
  
-#define DJ_DEVICE_INDEX_MIN 1
-#define DJ_DEVICE_INDEX_MAX 6
-
 static struct hid_ll_driver logi_dj_ll_driver;
  
 static int logi_dj_output_hidraw_report(struct hid_device *hid, u8 * buf,
@@ -823,7 +820,7 @@
 	 * have finished and no more raw_event callbacks should arrive after
 	 * the remove callback was triggered so no locks are put around the
 	 * code below */
-	for (i = 0; i < DJ_MAX_PAIRED_DEVICES; i++) {
+	for (i = 0; i < (DJ_MAX_PAIRED_DEVICES + DJ_DEVICE_INDEX_MIN); i++) {
 		dj_dev = djrcv_dev->paired_dj_devices[i];
 		if (dj_dev != NULL) {
 			hid_destroy_device(dj_dev->hdev);
@@ -27,6 +27,8 @@
  
 #define DJ_MAX_PAIRED_DEVICES			6
 #define DJ_MAX_NUMBER_NOTIFICATIONS		8
+#define DJ_DEVICE_INDEX_MIN 			1
+#define DJ_DEVICE_INDEX_MAX 			6
  
 #define DJREPORT_SHORT_LENGTH			15
 #define DJREPORT_LONG_LENGTH			32
@@ -94,7 +96,8 @@
  
 struct dj_receiver_dev {
 	struct hid_device *hdev;
-	struct dj_device *paired_dj_devices[DJ_MAX_PAIRED_DEVICES];
+	struct dj_device *paired_dj_devices[DJ_MAX_PAIRED_DEVICES +
+					    DJ_DEVICE_INDEX_MIN];
 	struct work_struct work;
 	struct kfifo notif_fifo;
 	spinlock_t lock;
...	...	@@ -179,9 +179,6 @@
179	179
180	180	#define LOGITECH_DJ_INTERFACE_NUMBER 0x02
181	181
182		-#define DJ_DEVICE_INDEX_MIN 1
183		-#define DJ_DEVICE_INDEX_MAX 6
184		-
185	182	static struct hid_ll_driver logi_dj_ll_driver;
186	183
187	184	static int logi_dj_output_hidraw_report(struct hid_device hid, u8 buf,
...	...	@@ -823,7 +820,7 @@
823	820	* have finished and no more raw_event callbacks should arrive after
824	821	* the remove callback was triggered so no locks are put around the
825	822	* code below */
826		- for (i = 0; i < DJ_MAX_PAIRED_DEVICES; i++) {
	823	+ for (i = 0; i < (DJ_MAX_PAIRED_DEVICES + DJ_DEVICE_INDEX_MIN); i++) {
827	824	dj_dev = djrcv_dev->paired_dj_devices[i];
828	825	if (dj_dev != NULL) {
829	826	hid_destroy_device(dj_dev->hdev);
...	...	@@ -27,6 +27,8 @@
27	27
28	28	#define DJ_MAX_PAIRED_DEVICES 6
29	29	#define DJ_MAX_NUMBER_NOTIFICATIONS 8
	30	+#define DJ_DEVICE_INDEX_MIN 1
	31	+#define DJ_DEVICE_INDEX_MAX 6
30	32
31	33	#define DJREPORT_SHORT_LENGTH 15
32	34	#define DJREPORT_LONG_LENGTH 32
...	...	@@ -94,7 +96,8 @@
94	96
95	97	struct dj_receiver_dev {
96	98	struct hid_device *hdev;
97		- struct dj_device *paired_dj_devices[DJ_MAX_PAIRED_DEVICES];
	99	+ struct dj_device *paired_dj_devices[DJ_MAX_PAIRED_DEVICES +
	100	+ DJ_DEVICE_INDEX_MIN];
98	101	struct work_struct work;
99	102	struct kfifo notif_fifo;
100	103	spinlock_t lock;