Re: [PATCH 1/1] HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write

Next message: Andrea Righi: "Re: [PATCH] sched/fair: Prefer fully-idle SMT cores in asym-capacity idle selection"
Previous message: Alejandro Oliv&#xE1;n Alvarez: "Re: Bug#1130336: [regression] Network failure beyond first connection after 69894e5b4c5e (&quot;netfilter: nft_connlimit: update the count if add was skipped&quot;)"
In reply to: Jiri Kosina: "Re: [PATCH 1/1] HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lee Jones

Date: Thu Mar 19 2026 - 04:46:32 EST

On Tue, 17 Mar 2026, Jiri Kosina wrote:

> On Tue, 17 Mar 2026, Lee Jones wrote:
>
> > > > diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
> > > > index 44b716697510..885b986c7a12 100644
> > > > --- a/drivers/hid/hid-logitech-dj.c
> > > > +++ b/drivers/hid/hid-logitech-dj.c
> > > > @@ -1282,6 +1282,12 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
> > > > return -ENODEV;
> > > > }
> > > >
> > > > + if (report->maxfield < 1 || report->field[0]->report_count != DJREPORT_SHORT_LENGTH - 1) {
> > >
> > > This is all static information. So this should be checked in the
> > > .probe(), once the device has been parsed, not for every single call of
> > > logi_dj_recv_send_report().
> >
> > Doesn't report_count come from the device?
>
> The point is -- maxfield and report_count can't change once parsed unless
> the report descriptor would be re-read and re-parsed (which doesn't happen
> in runtime, only during probe).
>
> So checking during probe/parse time just once should be sufficient,
> instead of checking it upon every received report.

Okay, thanks for the explanation. I'll give it a shot.

--
Lee Jones [李琼斯]