Commit 0f6ba0d1 authored by Jean Delvare's avatar Jean Delvare Committed by Wolfram Sang

i2c: stub: Avoid an array overrun on I2C block transfers

I2C block transfers can have a size up to 32 bytes. If starting close
to the end of the address space, there may not be enough room to write
that many bytes (on I2C block writes) or not enough bytes to be read
(on I2C block reads.) In that case, we must shorten the transfer so
that it does not exceed the address space.
Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
parent b299de83
...@@ -226,6 +226,8 @@ static s32 stub_xfer(struct i2c_adapter *adap, u16 addr, unsigned short flags, ...@@ -226,6 +226,8 @@ static s32 stub_xfer(struct i2c_adapter *adap, u16 addr, unsigned short flags,
* We ignore banks here, because banked chips don't use I2C * We ignore banks here, because banked chips don't use I2C
* block transfers * block transfers
*/ */
if (data->block[0] > 256 - command) /* Avoid overrun */
data->block[0] = 256 - command;
len = data->block[0]; len = data->block[0];
if (read_write == I2C_SMBUS_WRITE) { if (read_write == I2C_SMBUS_WRITE) {
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment