HID: fix incorrent length condition in hidraw_write()

upstream commit 2b107d629dc0c35de606bb7b010b829cd247a93a

From: Jiri Kosina <jkosina@suse.cz>

The bound check on the buffer length

	if (count > HID_MIN_BUFFER_SIZE)

is of course incorrent, the proper check is

	if (count > HID_MAX_BUFFER_SIZE)

Fix it.

Reported-by: Jerry Ryle <jerry@mindtribe.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Paul Stoffregen <paul@pjrc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
index c40f0403edafe1390d5fecb66604e095c8f70057..8c030d9dd0ddb61b3e63cf9db68759c1a8801726 100644 (file)
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t
        if (!dev->hid_output_raw_report)
                return -ENODEV;
 
-       if (count > HID_MIN_BUFFER_SIZE) {
+       if (count > HID_MAX_BUFFER_SIZE) {
                printk(KERN_WARNING "hidraw: pid %d passed too large report\n",
                                task_pid_nr(current));
                return -EINVAL;