HID: hid-logitech-dj: fix off by one

There is a bug where a device with index 6 would write out of bounds in
the array of paired devices.
This patch fixes that problem.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Olivier Gay <ogay@logitech.com>
Signed-off-by: Nestor Lopez Casado <nlopezcasad@logitech.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

drivers/hid/hid-logitech-dj.c

@@ -179,9 +179,6 @@ static const u8 hid_reportid_size_map[NUMBER_OF_HID_REPORTS] = {
 
 #define LOGITECH_DJ_INTERFACE_NUMBER 0x02
 
-#define DJ_DEVICE_INDEX_MIN 1
-#define DJ_DEVICE_INDEX_MAX 6
-
 static struct hid_ll_driver logi_dj_ll_driver;
 
 static int logi_dj_output_hidraw_report(struct hid_device *hid, u8 * buf,
@@ -823,7 +820,7 @@ static void logi_dj_remove(struct hid_device *hdev)
 	 * have finished and no more raw_event callbacks should arrive after
 	 * the remove callback was triggered so no locks are put around the
 	 * code below */
-	for (i = 0; i < DJ_MAX_PAIRED_DEVICES; i++) {
+	for (i = 0; i < (DJ_MAX_PAIRED_DEVICES + DJ_DEVICE_INDEX_MIN); i++) {
 		dj_dev = djrcv_dev->paired_dj_devices[i];
 		if (dj_dev != NULL) {
 			hid_destroy_device(dj_dev->hdev);

drivers/hid/hid-logitech-dj.h

@@ -27,6 +27,8 @@
 
 #define DJ_MAX_PAIRED_DEVICES			6
 #define DJ_MAX_NUMBER_NOTIFICATIONS		8
+#define DJ_DEVICE_INDEX_MIN 			1
+#define DJ_DEVICE_INDEX_MAX 			6
 
 #define DJREPORT_SHORT_LENGTH			15
 #define DJREPORT_LONG_LENGTH			32
@@ -94,7 +96,8 @@ struct dj_report {
 
 struct dj_receiver_dev {
 	struct hid_device *hdev;
-	struct dj_device *paired_dj_devices[DJ_MAX_PAIRED_DEVICES];
+	struct dj_device *paired_dj_devices[DJ_MAX_PAIRED_DEVICES +
+					    DJ_DEVICE_INDEX_MIN];
 	struct work_struct work;
 	struct kfifo notif_fifo;
 	spinlock_t lock;