Commit c3efacaa authored by Jean Delvare's avatar Jean Delvare Committed by Greg Kroah-Hartman

[PATCH] scx200_acb: Fix the block transactions

The scx200_acb i2c bus driver pretends to support SMBus block
transactions, but in fact it implements the more simple I2C block
transactions. Additionally, it lacks sanity checks on the length
of the block transactions, which could lead to a buffer overrun.

This fixes an oops reported by Alexander Atanasov:
http://marc.theaimsgroup.com/?l=linux-kernel&m=114970382125094

Thanks to Ben Gardner for fixing my bugs :)
Signed-off-by: default avatarJean Delvare <khali@linux-fr.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent fd627a01
...@@ -307,8 +307,12 @@ static s32 scx200_acb_smbus_xfer(struct i2c_adapter *adapter, ...@@ -307,8 +307,12 @@ static s32 scx200_acb_smbus_xfer(struct i2c_adapter *adapter,
buffer = (u8 *)&cur_word; buffer = (u8 *)&cur_word;
break; break;
case I2C_SMBUS_BLOCK_DATA: case I2C_SMBUS_I2C_BLOCK_DATA:
if (rw == I2C_SMBUS_READ)
data->block[0] = I2C_SMBUS_BLOCK_MAX; /* For now */
len = data->block[0]; len = data->block[0];
if (len == 0 || len > I2C_SMBUS_BLOCK_MAX)
return -EINVAL;
buffer = &data->block[1]; buffer = &data->block[1];
break; break;
...@@ -372,7 +376,7 @@ static u32 scx200_acb_func(struct i2c_adapter *adapter) ...@@ -372,7 +376,7 @@ static u32 scx200_acb_func(struct i2c_adapter *adapter)
{ {
return I2C_FUNC_SMBUS_QUICK | I2C_FUNC_SMBUS_BYTE | return I2C_FUNC_SMBUS_QUICK | I2C_FUNC_SMBUS_BYTE |
I2C_FUNC_SMBUS_BYTE_DATA | I2C_FUNC_SMBUS_WORD_DATA | I2C_FUNC_SMBUS_BYTE_DATA | I2C_FUNC_SMBUS_WORD_DATA |
I2C_FUNC_SMBUS_BLOCK_DATA; I2C_FUNC_SMBUS_I2C_BLOCK;
} }
/* For now, we only handle combined mode (smbus) */ /* For now, we only handle combined mode (smbus) */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment