Raise "Report Count" value limit in HID descriptor parser.

This fixes usage/report size calculation of Microsoft`s "Touch Hardware Quality Assurance" certificate blob found in many touchscreens. While here, join several "c->flags = dval" lines in to single line. Reviewed by: hselasky MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D16357
2026-06-08 16:22:46 -04:00 · 2018-07-21 14:20:17 +00:00 · 2018-07-21 14:20:17 +00:00 · 99a4d2ce08
commit 99a4d2ce08
parent 34fc9072ce
1 changed files with 9 additions and 9 deletions
--- a/sys/dev/usb/usb_hid.c
+++ b/sys/dev/usb/usb_hid.c
@ -74,6 +74,7 @@ static uint8_t hid_get_byte(struct hid_data *s, const uint16_t wSize);
 #define	MAXUSAGE 64
 #define	MAXPUSH 4
 #define	MAXID 16
+#define	MAXLOCCNT 1024

 struct hid_pos_data {
 	int32_t rid;
@ -91,10 +92,10 @@ struct hid_data {
 	int32_t usage_last;	/* last seen usage */
 	uint32_t loc_size;	/* last seen size */
 	uint32_t loc_count;	/* last seen count */
+	uint32_t ncount;	/* end usage item count */
+	uint32_t icount;	/* current usage item count */
 	uint8_t	kindset;	/* we have 5 kinds so 8 bits are enough */
 	uint8_t	pushlevel;	/* current pushlevel */
-	uint8_t	ncount;		/* end usage item count */
-	uint8_t icount;		/* current usage item count */
 	uint8_t	nusage;		/* end "usages_min/max" index */
 	uint8_t	iusage;		/* current "usages_min/max" index */
 	uint8_t ousage;		/* current "usages_min/max" offset */
@ -347,18 +348,19 @@ hid_get_item(struct hid_data *s, struct hid_item *h)
 			switch (bTag) {
 			case 8:	/* Input */
 				c->kind = hid_input;
-				c->flags = dval;
 		ret:
+				c->flags = dval;
 				c->loc.count = s->loc_count;
 				c->loc.size = s->loc_size;

 				if (c->flags & HIO_VARIABLE) {
 					/* range check usage count */
-					if (c->loc.count > 255) {
+					if (c->loc.count > MAXLOCCNT) {
 						DPRINTFN(0, "Number of "
-						    "items(%u) truncated to 255\n",
-						    (unsigned)(c->loc.count));
-						s->ncount = 255;
+						    "items(%u) truncated to %u\n",
+						    (unsigned)(c->loc.count),
+						    MAXLOCCNT);
+						s->ncount = MAXLOCCNT;
 					} else
 						s->ncount = c->loc.count;

@ -374,7 +376,6 @@ hid_get_item(struct hid_data *s, struct hid_item *h)

 			case 9:	/* Output */
 				c->kind = hid_output;
-				c->flags = dval;
 				goto ret;
 			case 10:	/* Collection */
 				c->kind = hid_collection;
@ -385,7 +386,6 @@ hid_get_item(struct hid_data *s, struct hid_item *h)
 				return (1);
 			case 11:	/* Feature */
 				c->kind = hid_feature;
-				c->flags = dval;
 				goto ret;
 			case 12:	/* End collection */
 				c->kind = hid_endcollection;