i2c-dev: Reject I2C_M_RECV_LEN · tjh.dev/kernel@e265cfa

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

i2c-dev: Reject I2C_M_RECV_LEN

The I2C_M_RECV_LEN calling convention for i2c_mesg.flags involves
playing games with reported buffer lengths. (They start out less
than their actual size, and the length is then modified to reflect
how many bytes were delivered ... which one hopes is less than the
presumed actual size.) Refuse to play such error prone games across
the boundary between userspace and kernel.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

authored by

David Brownell and committed by

Jean Delvare 18 years ago e265cfa1 9d90c1fd

+4 -2

1 changed file

expand all

drivers

i2c

i2c-dev.c

+4 -2

drivers/i2c/i2c-dev.c

··· 226 226 227 227 res = 0; 228 228 for( i=0; i<rdwr_arg.nmsgs; i++ ) { 229 - /* Limit the size of the message to a sane amount */ 230 - if (rdwr_pa[i].len > 8192) { 229 + /* Limit the size of the message to a sane amount; 230 + * and don't let length change either. */ 231 + if ((rdwr_pa[i].len > 8192) || 232 + (rdwr_pa[i].flags & I2C_M_RECV_LEN)) { 231 233 res = -EINVAL; 232 234 break; 233 235 }