[PATCH] hid-core: Zero-pad truncated reports

When it detects a truncated report, hid-core emits a warning and then processes the report as usual. This is good because it allows buggy devices to still get data thru to userspace. However, the missing bytes of the report should be cleared before processing, otherwise userspace will be handed partially-uninitialized data. This fixes Debian tracker bug #330487. Signed-off-by: Adam Kropelin <akropel1@rochester.rr.com> Cc: Vojtech Pavlik <vojtech@suse.cz> Acked-by: Dmitry Torokhov <dtor_core@ameritech.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-12-13 17:03:39 -08:00 · 2005-12-13 17:03:39 -08:00 · cd6104572b
--- a/drivers/usb/input/hid-core.c
+++ b/drivers/usb/input/hid-core.c
@ -893,8 +893,10 @@ static int hid_input_report(int type, struct urb *urb, int interrupt, struct pt_

 	size = ((report->size - 1) >> 3) + 1;

-	if (len < size)
+	if (len < size) {
 		dbg("report %d is too short, (%d < %d)", report->id, len, size);
+		memset(data + len, 0, size - len);
+	}

 	if (hid->claimed & HID_CLAIMED_HIDDEV)
 		hiddev_report_event(hid, report);