HIDDevice::GetReport: Fix count for split reads

Haven't tested split reads.

Addresses security concern:

HIDDevice::GetReport does not correctly handle split reads (count is
used at the end as if it were the total size of bytes read, which it
isn't), which could lead to communication corruption and data content
confusion (m_attnData and m_readData could have partially updated
contents). It's unlikely the hidraw interface could be tricked into
doing split reads, but I haven't tested it.

1 files changed, 4 insertions, 3 deletions

diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index b6deaec..3d80a3a 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp
@@ -442,6 +442,7 @@ int HIDDevice::GetReport(int *reportId, struct timeval * timeout)
 				if (offset == m_inputReportSize)
 					break;
 			}
+			count = offset;
 		}
 		break;
 	}
@@ -452,12 +453,12 @@ int HIDDevice::GetReport(int *reportId, struct timeval * timeout)
 	if (m_inputReport[HID_RMI4_REPORT_ID] == RMI_ATTN_REPORT_ID) {
 		if (static_cast<ssize_t>(m_inputReportSize) < count)
 			return -1;
-		memcpy(m_attnData, m_inputReport, count /*offset?*/);
+		memcpy(m_attnData, m_inputReport, count);
 	} else if (m_inputReport[HID_RMI4_REPORT_ID] == RMI_READ_DATA_REPORT_ID) {
 		if (static_cast<ssize_t>(m_inputReportSize) < count)
 			return -1;
-		memcpy(m_readData, m_inputReport, count /*offset?*/);
-		m_dataBytesRead = count /*offset?*/;
+		memcpy(m_readData, m_inputReport, count);
+		m_dataBytesRead = count;
 	}
 	return 1;
 }