i2c: stub: Avoid an array overrun on I2C block transfers

I2C block transfers can have a size up to 32 bytes. If starting close
to the end of the address space, there may not be enough room to write
that many bytes (on I2C block writes) or not enough bytes to be read
(on I2C block reads.) In that case, we must shorten the transfer so
that it does not exceed the address space.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
This commit is contained in:
Jean Delvare 2014-07-13 17:17:17 +02:00 committed by Wolfram Sang
parent b299de8391
commit 0f6ba0d15f
1 changed files with 2 additions and 0 deletions

View File

@ -226,6 +226,8 @@ static s32 stub_xfer(struct i2c_adapter *adap, u16 addr, unsigned short flags,
* We ignore banks here, because banked chips don't use I2C * We ignore banks here, because banked chips don't use I2C
* block transfers * block transfers
*/ */
if (data->block[0] > 256 - command) /* Avoid overrun */
data->block[0] = 256 - command;
len = data->block[0]; len = data->block[0];
if (read_write == I2C_SMBUS_WRITE) { if (read_write == I2C_SMBUS_WRITE) {
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {