Commit 495a4f0d authored by Marius Zachmann's avatar Marius Zachmann Committed by Guenter Roeck
Browse files

hwmon: (corsair-cpro) Validate the size of the received input buffer 



Add buffer_recv_size to store the size of the received bytes.
Validate buffer_recv_size in send_usb_cmd().

Reported-by: default avatar <syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/linux-hwmon/61233ba1-e5ad-4d7a-ba31-3b5d0adcffcc@roeck-us.net


Fixes: 40c3a445 ("hwmon: add Corsair Commander Pro driver")
Signed-off-by: default avatarMarius Zachmann <mail@mariuszachmann.de>
Link: https://lore.kernel.org/r/20250619132817.39764-5-mail@mariuszachmann.de


Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
parent 347e9f50

drivers/hwmon/corsair-cpro.c

+5 −0
Original line number Diff line number Diff line
@@ -89,6 +89,7 @@ struct ccp_device { 
	struct mutex mutex; /* whenever buffer is used, lock before send_usb_cmd */

	u8 *cmd_buffer;

	u8 *buffer;

	int buffer_recv_size; /* number of received bytes in buffer */

	int target[6];

	DECLARE_BITMAP(temp_cnct, NUM_TEMP_SENSORS);

	DECLARE_BITMAP(fan_cnct, NUM_FANS);
@@ -146,6 +147,9 @@ static int send_usb_cmd(struct ccp_device *ccp, u8 command, u8 byte1, u8 byte2, 
	if (!t)

		return -ETIMEDOUT;



	if (ccp->buffer_recv_size != IN_BUFFER_SIZE)

		return -EPROTO;



	return ccp_get_errno(ccp);

}
@@ -157,6 +161,7 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8 
	spin_lock(&ccp->wait_input_report_lock);

	if (!completion_done(&ccp->wait_input_report)) {

		memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));

		ccp->buffer_recv_size = size;

		complete_all(&ccp->wait_input_report);

	}

	spin_unlock(&ccp->wait_input_report_lock);