From 5f6172825c985c0904c21c6936fff8b677850b73 Mon Sep 17 00:00:00 2001
From: Andrew de los Reyes <adlr@google.com>
Date: Fri, 4 Sep 2015 14:57:30 -0700
Subject: HIDDevice::GetReport: Fix count for split reads

Haven't tested split reads.

Addresses security concern:

HIDDevice::GetReport does not correctly handle split reads (count is
used at the end as if it were the total size of bytes read, which it
isn't), which could lead to communication corruption and data content
confusion (m_attnData and m_readData could have partially updated
contents). It's unlikely the hidraw interface could be tricked into
doing split reads, but I haven't tested it.
---
 rmidevice/hiddevice.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rmidevice/hiddevice.cpp b/rmidevice/hiddevice.cpp
index b6deaec..3d80a3a 100644
--- a/rmidevice/hiddevice.cpp
+++ b/rmidevice/hiddevice.cpp
@@ -442,6 +442,7 @@ int HIDDevice::GetReport(int *reportId, struct timeval * timeout)
 				if (offset == m_inputReportSize)
 					break;
 			}
+			count = offset;
 		}
 		break;
 	}
@@ -452,12 +453,12 @@ int HIDDevice::GetReport(int *reportId, struct timeval * timeout)
 	if (m_inputReport[HID_RMI4_REPORT_ID] == RMI_ATTN_REPORT_ID) {
 		if (static_cast<ssize_t>(m_inputReportSize) < count)
 			return -1;
-		memcpy(m_attnData, m_inputReport, count /*offset?*/);
+		memcpy(m_attnData, m_inputReport, count);
 	} else if (m_inputReport[HID_RMI4_REPORT_ID] == RMI_READ_DATA_REPORT_ID) {
 		if (static_cast<ssize_t>(m_inputReportSize) < count)
 			return -1;
-		memcpy(m_readData, m_inputReport, count /*offset?*/);
-		m_dataBytesRead = count /*offset?*/;
+		memcpy(m_readData, m_inputReport, count);
+		m_dataBytesRead = count;
 	}
 	return 1;
 }
-- 
cgit v1.2.3