i2c: stub: Avoid an array overrun on I2C block transfers

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

I2C block transfers can have a size up to 32 bytes. If starting close
to the end of the address space, there may not be enough room to write
that many bytes (on I2C block writes) or not enough bytes to be read
(on I2C block reads.) In that case, we must shorten the transfer so
that it does not exceed the address space.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>

authored by

Jean Delvare and committed by

Wolfram Sang 11 years ago 0f6ba0d1 b299de83

1 changed file

expand all

drivers

i2c

i2c-stub.c

drivers/i2c/i2c-stub.c

··· 226 226 * We ignore banks here, because banked chips don't use I2C 227 227 * block transfers 228 228 */ 229 + if (data->block[0] > 256 - command) /* Avoid overrun */ 230 + data->block[0] = 256 - command; 229 231 len = data->block[0]; 230 232 if (read_write == I2C_SMBUS_WRITE) { 231 233 for (i = 0; i < len; i++) {