Commit 44c6b4a9 authored by Stephen Douthit's avatar Stephen Douthit Committed by Greg Kroah-Hartman

i2c: ismt: Return EMSGSIZE for block reads with bogus length

commit ba201c4f upstream.

Compare the number of bytes actually seen on the wire to the byte
count field returned by the slave device.

Previously we just overwrote the byte count returned by the slave
with the real byte count and let the caller figure out if the
message was sane.
Signed-off-by: default avatarStephen Douthit <stephend@adiengineering.com>
Tested-by: default avatarDan Priamo <danp@adiengineering.com>
Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7a90bfae
...@@ -341,8 +341,10 @@ static int ismt_process_desc(const struct ismt_desc *desc, ...@@ -341,8 +341,10 @@ static int ismt_process_desc(const struct ismt_desc *desc,
break; break;
case I2C_SMBUS_BLOCK_DATA: case I2C_SMBUS_BLOCK_DATA:
case I2C_SMBUS_I2C_BLOCK_DATA: case I2C_SMBUS_I2C_BLOCK_DATA:
if (desc->rxbytes != dma_buffer[0] + 1)
return -EMSGSIZE;
memcpy(data->block, dma_buffer, desc->rxbytes); memcpy(data->block, dma_buffer, desc->rxbytes);
data->block[0] = desc->rxbytes - 1;
break; break;
} }
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment