svn commit: r336577 - head/sys/dev/usb

Sat Jul 21 14:20:18 UTC 2018

Author: wulf
Date: Sat Jul 21 14:20:17 2018
New Revision: 336577
URL: https://svnweb.freebsd.org/changeset/base/336577

Log:
  Raise "Report Count" value limit in HID descriptor parser.
  
  This fixes usage/report size calculation of Microsoft`s "Touch Hardware
  Quality Assurance" certificate blob found in many touchscreens.
  
  While here, join several "c->flags = dval" lines in to single line.
  
  Reviewed by:	hselasky
  MFC after:	2 weeks
  Differential Revision:	https://reviews.freebsd.org/D16357

Modified:
  head/sys/dev/usb/usb_hid.c

Modified: head/sys/dev/usb/usb_hid.c
==============================================================================

--- head/sys/dev/usb/usb_hid.c	Sat Jul 21 07:50:46 2018	(r336576)
+++ head/sys/dev/usb/usb_hid.c	Sat Jul 21 14:20:17 2018	(r336577)
@@ -74,6 +74,7 @@ static uint8_t hid_get_byte(struct hid_data *s, const 
 #define	MAXUSAGE 64
 #define	MAXPUSH 4
 #define	MAXID 16
+#define	MAXLOCCNT 1024
 
 struct hid_pos_data {
 	int32_t rid;
@@ -91,10 +92,10 @@ struct hid_data {
 	int32_t usage_last;	/* last seen usage */
 	uint32_t loc_size;	/* last seen size */
 	uint32_t loc_count;	/* last seen count */
+	uint32_t ncount;	/* end usage item count */
+	uint32_t icount;	/* current usage item count */
 	uint8_t	kindset;	/* we have 5 kinds so 8 bits are enough */
 	uint8_t	pushlevel;	/* current pushlevel */
-	uint8_t	ncount;		/* end usage item count */
-	uint8_t icount;		/* current usage item count */
 	uint8_t	nusage;		/* end "usages_min/max" index */
 	uint8_t	iusage;		/* current "usages_min/max" index */
 	uint8_t ousage;		/* current "usages_min/max" offset */
@@ -347,18 +348,19 @@ hid_get_item(struct hid_data *s, struct hid_item *h)
 			switch (bTag) {
 			case 8:	/* Input */
 				c->kind = hid_input;
-				c->flags = dval;
 		ret:
+				c->flags = dval;
 				c->loc.count = s->loc_count;
 				c->loc.size = s->loc_size;
 
 				if (c->flags & HIO_VARIABLE) {
 					/* range check usage count */
-					if (c->loc.count > 255) {
+					if (c->loc.count > MAXLOCCNT) {
 						DPRINTFN(0, "Number of "
-						    "items(%u) truncated to 255\n",
-						    (unsigned)(c->loc.count));
-						s->ncount = 255;
+						    "items(%u) truncated to %u\n",
+						    (unsigned)(c->loc.count),
+						    MAXLOCCNT);
+						s->ncount = MAXLOCCNT;
 					} else
 						s->ncount = c->loc.count;
 
@@ -374,7 +376,6 @@ hid_get_item(struct hid_data *s, struct hid_item *h)
 
 			case 9:	/* Output */
 				c->kind = hid_output;
-				c->flags = dval;
 				goto ret;
 			case 10:	/* Collection */
 				c->kind = hid_collection;
@@ -385,7 +386,6 @@ hid_get_item(struct hid_data *s, struct hid_item *h)
 				return (1);
 			case 11:	/* Feature */
 				c->kind = hid_feature;
-				c->flags = dval;
 				goto ret;
 			case 12:	/* End collection */
 				c->kind = hid_endcollection;
