Re: [PATCH 1/1] HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write

Next message: Luca Ceresoli: "Re: [PATCH v2] drm/bridge: dw-hdmi-qp: fix multi-channel audio output"
Previous message: Mark Brown: "Re: [PATCH] spi: axiado: fix use-after-free on probe failure"
In reply to: Lee Jones: "Re: [PATCH 1/1] HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write"
Next in thread: Lee Jones: "Re: [PATCH 1/1] HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Tue Mar 17 2026 - 13:38:48 EST

On Tue, 17 Mar 2026, Lee Jones wrote:

> > > diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
> > > index 44b716697510..885b986c7a12 100644
> > > --- a/drivers/hid/hid-logitech-dj.c
> > > +++ b/drivers/hid/hid-logitech-dj.c
> > > @@ -1282,6 +1282,12 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
> > > return -ENODEV;
> > > }
> > >
> > > + if (report->maxfield < 1 || report->field[0]->report_count != DJREPORT_SHORT_LENGTH - 1) {
> >
> > This is all static information. So this should be checked in the
> > .probe(), once the device has been parsed, not for every single call of
> > logi_dj_recv_send_report().
>
> Doesn't report_count come from the device?

The point is -- maxfield and report_count can't change once parsed unless
the report descriptor would be re-read and re-parsed (which doesn't happen
in runtime, only during probe).

So checking during probe/parse time just once should be sufficient,
instead of checking it upon every received report.

Thanks,

--
Jiri Kosina
SUSE Labs