Skip to content

fix(hidpp): bounds-check raw report dispatch lambdas#551

Open
jelmerdehen wants to merge 1 commit into
PixlOne:mainfrom
jelmerdehen:fix/raw-dispatch-bounds
Open

fix(hidpp): bounds-check raw report dispatch lambdas#551
jelmerdehen wants to merge 1 commit into
PixlOne:mainfrom
jelmerdehen:fix/raw-dispatch-bounds

Conversation

@jelmerdehen
Copy link
Copy Markdown

@jelmerdehen jelmerdehen commented Apr 26, 2026

Summary

The filter lambdas in hidpp::Device::_setupReportsAndInit and hidpp10::ReceiverMonitor::_ready / waitForDevice index the raw byte buffer at Offset::Type, Offset::DeviceIndex, and Offset::SubID without checking that the buffer is large enough:

return (report[Offset::Type] == Report::Type::Short || ...) &&
       (report[Offset::DeviceIndex] == index);

report is the raw std::vector<uint8_t> returned by read(hidraw_fd) and may be shorter than 2 bytes (a buggy or malicious device, or a partial read). std::vector::operator[] does no bounds checking, so this is undefined behaviour.

Fix

Add a report.size() <= Offset::DeviceIndex (or Offset::SubID) guard at the top of each filter lambda.

Test plan

  • Builds cleanly.
  • No behavioural change for normal-length reports.

@jelmerdehen
fix(hidpp): bounds-check raw report dispatch lambdas
a790d3c 
Filter lambdas in hidpp::Device and hidpp10::ReceiverMonitor indexed
the raw byte buffer at Offset::Type, ::DeviceIndex, and ::SubID
without checking that the buffer was large enough. A short hidraw read
(possible from a malicious or buggy device, or partial reads under
load) would cause an out-of-bounds access on std::vector::operator[].
Reject reports shorter than the offsets we read.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jelmerdehen