HID: fix a couple of off-by-ones

commit 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 upstream. There are a few very theoretical off-by-one bugs in report descriptor size checking when performing a pre-parsing fixup. Fix those. Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> [bwh: Backported to 2.6.32: - Adjust context - Drop change to a quirk in hid-lg.c that doesn't exist here] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> CVE-2014-3184 Signed-off-by: Willy Tarreau <w@1wt.eu>
author: Jiri Kosina <jkosina@suse.cz> 2014-08-21 09:57:48 -0500
committer: Willy Tarreau <w@1wt.eu> 2015-09-18 13:51:53 +0200
commit: d8b3be1ede7a9559cef59f8066ba90a17f989dd8 (patch)
tree: fdbc52a24d85f5bdf7cd99340099005e6ff28dc3 /drivers/hid/hid-kye.c
parent: f9e6d14d33ab7e4ada2d59acaf16196626063e95 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
index f8871712b7b5..30f723b7f267 100644
--- a/drivers/hid/hid-kye.c
+++ b/drivers/hid/hid-kye.c
@@ -26,7 +26,7 @@
 static void kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 		unsigned int rsize)
 {
-	if (rsize >= 74 &&
+	if (rsize >= 75 &&
 		rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
 		rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
 		rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
author	Jiri Kosina <jkosina@suse.cz>	2014-08-21 09:57:48 -0500
committer	Willy Tarreau <w@1wt.eu>	2015-09-18 13:51:53 +0200
commit	d8b3be1ede7a9559cef59f8066ba90a17f989dd8 (patch)
tree	fdbc52a24d85f5bdf7cd99340099005e6ff28dc3 /drivers/hid/hid-kye.c
parent	f9e6d14d33ab7e4ada2d59acaf16196626063e95 (diff)