summaryrefslogtreecommitdiff
path: root/drivers/i2c
diff options
context:
space:
mode:
authorJean Delvare <jdelvare@suse.de>2014-07-13 17:17:17 +0200
committerWolfram Sang <wsa@the-dreams.de>2014-07-20 13:25:29 +0200
commit0f6ba0d15f43e2be8cae9e3906aa03fcfe231e5b (patch)
treedd634397d359a03d834c35d4715818e89d80f5a0 /drivers/i2c
parentb299de839157852c563b9f133c8b7e630545a9c3 (diff)
i2c: stub: Avoid an array overrun on I2C block transfers
I2C block transfers can have a size up to 32 bytes. If starting close to the end of the address space, there may not be enough room to write that many bytes (on I2C block writes) or not enough bytes to be read (on I2C block reads.) In that case, we must shorten the transfer so that it does not exceed the address space. Signed-off-by: Jean Delvare <jdelvare@suse.de> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Diffstat (limited to 'drivers/i2c')
-rw-r--r--drivers/i2c/i2c-stub.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/i2c/i2c-stub.c b/drivers/i2c/i2c-stub.c
index e815c6067ff3..d241aa295d96 100644
--- a/drivers/i2c/i2c-stub.c
+++ b/drivers/i2c/i2c-stub.c
@@ -226,6 +226,8 @@ static s32 stub_xfer(struct i2c_adapter *adap, u16 addr, unsigned short flags,
* We ignore banks here, because banked chips don't use I2C
* block transfers
*/
+ if (data->block[0] > 256 - command) /* Avoid overrun */
+ data->block[0] = 256 - command;
len = data->block[0];
if (read_write == I2C_SMBUS_WRITE) {
for (i = 0; i < len; i++) {