validate m_*Report lengths

Addresses Security concerns: HIDDevice::Open does not validate minimum sizes for m_*ReportSize, which could lead to past-end-of-buffer writes when using m_*Report arrays. HIDDevice::GetAttentionReport does not correctly validate the size of the m_attnData buffer vs the buf len. This is a past-end-of-buffer read condition. I don't understand the point of reading bytes-many bytes but returning *len set to the valid size of bytes in the buffer.
author: Andrew de los Reyes <adlr@google.com> 2015-09-04 14:40:06 -0700
committer: Andrew Duggan <aduggan@synaptics.com> 2015-09-10 11:16:24 -0700
commit: 242ea83b394b44a8eec4cc4307cd98460ea114da (patch)
tree: 1a5d5fa8d3254b873604dd700cbee901df421e2e /rmidevice/hiddevice.h
parent: 074c44877931621f32459e80e105e10a9119bcc8 (diff)
download: rmi4utils-242ea83b394b44a8eec4cc4307cd98460ea114da.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/rmidevice/hiddevice.h b/rmidevice/hiddevice.h
index 97be0e3..05a11fa 100644
--- a/rmidevice/hiddevice.h
+++ b/rmidevice/hiddevice.h
@@ -26,7 +26,11 @@ class HIDDevice : public RMIDevice
 {
 public:
 	HIDDevice() : RMIDevice(), m_inputReport(NULL), m_outputReport(NULL), m_attnData(NULL),
-			m_readData(NULL), m_deviceOpen(false)
+		      m_readData(NULL),
+		      m_inputReportSize(0),
+		      m_outputReportSize(0),
+		      m_featureReportSize(0),
+		      m_deviceOpen(false)
 	{}
 	virtual int Open(const char * filename);
 	virtual int Read(unsigned short addr, unsigned char *buf,
author	Andrew de los Reyes <adlr@google.com>	2015-09-04 14:40:06 -0700
committer	Andrew Duggan <aduggan@synaptics.com>	2015-09-10 11:16:24 -0700
commit	242ea83b394b44a8eec4cc4307cd98460ea114da (patch)
tree	1a5d5fa8d3254b873604dd700cbee901df421e2e /rmidevice/hiddevice.h
parent	074c44877931621f32459e80e105e10a9119bcc8 (diff)
download	rmi4utils-242ea83b394b44a8eec4cc4307cd98460ea114da.tar.gz