From: Marek Roszko <mark.roszko@gmail.com>
Date: Thu, 21 Aug 2014 01:39:41 +0000 (-0400)
Subject: i2c: at91: add bound checking on SMBus block length bytes
X-Git-Tag: fixes-v3.17-rc4~17^2~1
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=75b81f339c6af43f6f4a1b3eabe0603321dade65;p=pandora-kernel.git

i2c: at91: add bound checking on SMBus block length bytes

The driver was not bound checking the received length byte to ensure it was within the
the buffer size that is allocated for SMBus blocks. This resulted in buffer overflows
whenever an invalid length byte was received.
It also failed to ensure the length byte was not zero. If it received zero, it would end up
in an infinite loop as the at91_twi_read_next_byte function returned immediately without
allowing RHR to be read to clear the RXRDY interrupt.

Tested agaisnt a SMBus compliant battery.

Signed-off-by: Marek Roszko <mark.roszko@gmail.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
---

Reading git-diff-tree failed