git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
[pandora-kernel.git]
/
drivers
/
i2c
/
i2c-core.c
diff --git
a/drivers/i2c/i2c-core.c
b/drivers/i2c/i2c-core.c
index
c3793a7
..
8d96a47
100644
(file)
--- a/
drivers/i2c/i2c-core.c
+++ b/
drivers/i2c/i2c-core.c
@@
-2009,16
+2009,17
@@
static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
the underlying bus driver */
break;
case I2C_SMBUS_I2C_BLOCK_DATA:
the underlying bus driver */
break;
case I2C_SMBUS_I2C_BLOCK_DATA:
+ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+ dev_err(&adapter->dev, "Invalid block %s size %d\n",
+ read_write == I2C_SMBUS_READ ? "read" : "write",
+ data->block[0]);
+ return -EINVAL;
+ }
+
if (read_write == I2C_SMBUS_READ) {
msg[1].len = data->block[0];
} else {
msg[0].len = data->block[0] + 1;
if (read_write == I2C_SMBUS_READ) {
msg[1].len = data->block[0];
} else {
msg[0].len = data->block[0] + 1;
- if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
- dev_err(&adapter->dev,
- "Invalid block write size %d\n",
- data->block[0]);
- return -EINVAL;
- }
for (i = 1; i <= data->block[0]; i++)
msgbuf0[i] = data->block[i];
}
for (i = 1; i <= data->block[0]; i++)
msgbuf0[i] = data->block[i];
}
git.openpandora.org / pandora-kernel.git / blobdiff