fixup! WIP: HID: transport: spi: add Apple SPI transport

HID: transport: spi: apple: verify payload size

Signed-off-by: Janne Grunau <j@jannau.net>

Author: jannau

drivers/hid/spi-hid/spi-hid-apple-core.c

@@ -681,26 +681,29 @@ static void spihid_process_message(struct spihid_apple *spihid, u8 *data,
 	struct device *dev = &spihid->spidev->dev;
 	struct spihid_msg_hdr *hdr;
 	bool handled = false;
+	size_t payload_len;
 	u8 *payload;
 
 	if (!spihid_verify_msg(spihid, data, length))
 		return;
 
 	hdr = (struct spihid_msg_hdr *)data;
+	payload_len = le16_to_cpu(hdr->length);
 
-	if (hdr->length == 0)
+	if (payload_len == 0 ||
+		(payload_len + sizeof(struct spihid_msg_hdr) + 2) > length)
 		return;
 
 	payload = data + sizeof(struct spihid_msg_hdr);
 
 	switch (flags) {
 	case SPIHID_READ_PACKET:
 		handled = spihid_process_input_report(spihid, device, hdr,
-						      payload, le16_to_cpu(hdr->length));
+						      payload, payload_len);
 		break;
 	case SPIHID_WRITE_PACKET:
 		handled = spihid_process_response(spihid, device, hdr, payload,
-						  le16_to_cpu(hdr->length));
+						  payload_len);
 		break;
 	default:
 		break;