From 36257f6b4e7671cb12f98d91a6ffdeabdc254d0c Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@hovoldconsulting.com>
Date: Fri, 27 Mar 2015 12:45:46 +0100
Subject: [PATCH] greybus: hid: fix null-deref on short report requests

Make sure to verify the length of incoming requests before trying to
parse the request buffer, which can even be NULL on empty requests.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
---
 drivers/staging/greybus/hid.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
index f0da387476b8..a225813bc477 100644
--- a/drivers/staging/greybus/hid.c
+++ b/drivers/staging/greybus/hid.c
@@ -163,6 +163,11 @@ static void gb_hid_irq_handler(u8 type, struct gb_operation *op)
 		return;
 	}
 
+	if (op->request->payload_size < 2) {
+		dev_err(&connection->dev, "short report received\n");
+		return;
+	}
+
 	size = request->report[0] | request->report[1] << 8;
 	if (!size) {
 		dev_err(&connection->dev, "bad report size: %d\n", size);
-- 
2.39.5