On Sat, 26 Jul 2025 23:09:31 +0100, Arnaud Lecomte wrote:
> As reported by syzbot, mcp2221_raw_event lacked
> validation of incoming I2C read data sizes, risking buffer
> overflows in mcp->rxbuf during multi-part transfers.
> As highlighted in the DS20005565B spec, p44, we have:
> "The number of read-back data bytes to follow in this packet:
> from 0 to a maximum of 60 bytes of read-back bytes."
> This patch enforces we don't exceed this limit.
>
> [...]
Applied to hid/hid.git (for-6.17/upstream-fixes), thanks!
[1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
https://git.kernel.org/hid/hid/c/b56cc41a3ae7
Cheers,
--
Benjamin Tissoires <bentiss@xxxxxxxxxx>
