diff --git a/src/add-ons/kernel/drivers/input/usb_hid/TabletProtocolHandler.cpp b/src/add-ons/kernel/drivers/input/usb_hid/TabletProtocolHandler.cpp
index 18496fef3d..d6c02b2160 100644
--- a/src/add-ons/kernel/drivers/input/usb_hid/TabletProtocolHandler.cpp
+++ b/src/add-ons/kernel/drivers/input/usb_hid/TabletProtocolHandler.cpp
@@ -18,6 +18,7 @@
 #include "HIDReportItem.h"
 
 #include <new>
+#include <kernel.h>
 #include <string.h>
 #include <usb/USB_hid.h>
 
@@ -189,9 +190,17 @@ TabletProtocolHandler::Control(uint32 *cookie, uint32 op, void *buffer,
 				return B_BUFFER_OVERFLOW;
 
 			while (true) {
-				status_t result = _ReadReport(buffer, cookie);
-				if (result != B_INTERRUPTED)
-					return result;
+				tablet_movement movement;
+				status_t result = _ReadReport(&movement, cookie);
+				if (result == B_INTERRUPTED)
+					continue;
+				if (!IS_USER_ADDRESS(buffer)
+					|| user_memcpy(buffer, &movement, sizeof(movement))
+						!= B_OK) {
+					return B_BAD_ADDRESS;
+				}
+
+				return result;
 			}
 		}
 
@@ -205,12 +214,13 @@ TabletProtocolHandler::Control(uint32 *cookie, uint32 op, void *buffer,
 		}
 
 		case MS_SET_CLICKSPEED:
-#ifdef __HAIKU__
-				return user_memcpy(&fClickSpeed, buffer, sizeof(bigtime_t));
-#else
-				fClickSpeed = *(bigtime_t *)buffer;
+				if (!IS_USER_ADDRESS(buffer)
+					|| user_memcpy(&fClickSpeed, buffer, sizeof(bigtime_t))
+						!= B_OK) {
+					return B_BAD_ADDRESS;
+				}
+
 				return B_OK;
-#endif
 	}
 
 	return B_ERROR;