diff options
author | Andrew de los Reyes <adlr@google.com> | 2015-09-04 14:57:30 -0700 |
---|---|---|
committer | Andrew Duggan <aduggan@synaptics.com> | 2015-09-10 11:16:24 -0700 |
commit | 5f6172825c985c0904c21c6936fff8b677850b73 (patch) | |
tree | f10250088442c46a727428f84cda451c115fe023 | |
parent | 3db45610bbb349313b976c93c80dd615a8a194f7 (diff) | |
download | platform_external_rmi4utils-5f6172825c985c0904c21c6936fff8b677850b73.tar.gz platform_external_rmi4utils-5f6172825c985c0904c21c6936fff8b677850b73.tar.bz2 platform_external_rmi4utils-5f6172825c985c0904c21c6936fff8b677850b73.zip |
HIDDevice::GetReport: Fix count for split reads
Haven't tested split reads.
Addresses security concern:
HIDDevice::GetReport does not correctly handle split reads (count is
used at the end as if it were the total size of bytes read, which it
isn't), which could lead to communication corruption and data content
confusion (m_attnData and m_readData could have partially updated
contents). It's unlikely the hidraw interface could be tricked into
doing split reads, but I haven't tested it.
-rw-r--r-- | rmidevice/hiddevice.cpp | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp index b6deaec..3d80a3a 100644 --- a/rmidevice/hiddevice.cpp +++ b/rmidevice/hiddevice.cpp @@ -442,6 +442,7 @@ int HIDDevice::GetReport(int *reportId, struct timeval * timeout) if (offset == m_inputReportSize) break; } + count = offset; } break; } @@ -452,12 +453,12 @@ int HIDDevice::GetReport(int *reportId, struct timeval * timeout) if (m_inputReport[HID_RMI4_REPORT_ID] == RMI_ATTN_REPORT_ID) { if (static_cast<ssize_t>(m_inputReportSize) < count) return -1; - memcpy(m_attnData, m_inputReport, count /*offset?*/); + memcpy(m_attnData, m_inputReport, count); } else if (m_inputReport[HID_RMI4_REPORT_ID] == RMI_READ_DATA_REPORT_ID) { if (static_cast<ssize_t>(m_inputReportSize) < count) return -1; - memcpy(m_readData, m_inputReport, count /*offset?*/); - m_dataBytesRead = count /*offset?*/; + memcpy(m_readData, m_inputReport, count); + m_dataBytesRead = count; } return 1; } |