diff options
| author | Michael Zaidman <michael.zaidman@gmail.com> | 2022-11-05 23:11:49 +0200 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2022-11-11 11:09:36 +0100 |
| commit | c2500bdffe5a95fbd0aecdd5be3d2f175ad22f92 (patch) | |
| tree | e528f44b71df94400fd7970b89c70c501d0f5ebb | |
| parent | 4b3da6853a619a952e8caf2e8393264dd42ffa27 (diff) | |
HID: ft260: fix a NULL pointer dereference in ft260_i2c_write
The zero-length passed into the ft260_i2c_write() triggered the
NULL pointer dereference in the debug message on data[0] access.
Since the controller does not support a write of zero length,
let's not allow it.
Before:
$ sudo i2ctransfer -y 13 w0@0x51
Killed
After:
$ sudo i2ctransfer -y 13 w0@0x51
Error: Sending messages failed: Invalid argument
Reported-by: Enrik Berkhan <Enrik.Berkhan@inka.de>
Signed-off-by: Michael Zaidman <michael.zaidman@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
| -rw-r--r-- | drivers/hid/hid-ft260.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c index ac133980dfe9..b4f180c8750a 100644 --- a/drivers/hid/hid-ft260.c +++ b/drivers/hid/hid-ft260.c @@ -409,6 +409,9 @@ static int ft260_i2c_write(struct ft260_device *dev, u8 addr, u8 *data, struct ft260_i2c_write_request_report *rep = (struct ft260_i2c_write_request_report *)dev->write_buf; + if (len < 1) + return -EINVAL; + rep->flag = FT260_FLAG_START; do { |