diff options
author | Andrew de los Reyes <adlr@google.com> | 2015-09-04 14:40:06 -0700 |
---|---|---|
committer | Andrew Duggan <aduggan@synaptics.com> | 2015-09-10 11:16:24 -0700 |
commit | 242ea83b394b44a8eec4cc4307cd98460ea114da (patch) | |
tree | 1a5d5fa8d3254b873604dd700cbee901df421e2e /rmidevice/hiddevice.h | |
parent | 074c44877931621f32459e80e105e10a9119bcc8 (diff) | |
download | rmi4utils-242ea83b394b44a8eec4cc4307cd98460ea114da.tar.gz |
validate m_*Report lengths
Addresses Security concerns:
HIDDevice::Open does not validate minimum sizes for m_*ReportSize, which
could lead to past-end-of-buffer writes when using m_*Report arrays.
HIDDevice::GetAttentionReport does not correctly validate the size of
the m_attnData buffer vs the buf len. This is a past-end-of-buffer read
condition. I don't understand the point of reading bytes-many bytes but
returning *len set to the valid size of bytes in the buffer.
Diffstat (limited to 'rmidevice/hiddevice.h')
-rw-r--r-- | rmidevice/hiddevice.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/rmidevice/hiddevice.h b/rmidevice/hiddevice.h index 97be0e3..05a11fa 100644 --- a/rmidevice/hiddevice.h +++ b/rmidevice/hiddevice.h @@ -26,7 +26,11 @@ class HIDDevice : public RMIDevice { public: HIDDevice() : RMIDevice(), m_inputReport(NULL), m_outputReport(NULL), m_attnData(NULL), - m_readData(NULL), m_deviceOpen(false) + m_readData(NULL), + m_inputReportSize(0), + m_outputReportSize(0), + m_featureReportSize(0), + m_deviceOpen(false) {} virtual int Open(const char * filename); virtual int Read(unsigned short addr, unsigned char *buf, |