HID: mcp2221: fix OOB write in mcp2221_raw_event() - wireguard-linux

diff options

author	Florian Pradines <florian.pradines@gmail.com>	2026-05-09 09:45:17 +0000
committer	Jiri Kosina <jkosina@suse.com>	2026-05-12 17:48:16 +0200
commit	f097d246677b03db814c5862f368cea341b76a00 (patch)
tree	0c99ca034b43977c21004cdd662f93cdd5d530bb /tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com
parent	HID: quirks: really enable the intended work around for appledisplay (diff)

HID: mcp2221: fix OOB write in mcp2221_raw_event()

mcp2221_raw_event() copies device-supplied data into mcp->rxbuf at offset rxbuf_idx without checking that the copy fits within the destination buffer. A device responding with up to 60 bytes to a small I2C/SMBus read can overflow the buffer. Add a rxbuf_size field to struct mcp2221, set it alongside rxbuf in mcp_i2c_smbus_read(), and check rxbuf_idx + data[3] <= rxbuf_size before the memcpy. Reported-by: Benoît Sevens <bsevens@google.com> Signed-off-by: Florian Pradines <florian.pradines@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.com>

Diffstat (limited to 'tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: