| Message ID | Y0bUYc2fadLgoQfZ@kili |
|---|---|
| State | New |
| Headers | show |
| Series | i2c: dln2: prevent buffer overflow in dln2_i2c_write() | expand |
On Wed, Oct 12, 2022 at 05:51:13PM +0300, Dan Carpenter wrote: > The "data_len" value is use controlled via the ioctl. It needs to > be bounds checked to prevent a buffer overflow. > > Fixes: db23e5001f75 ("i2c: add support for Diolan DLN-2 USB-I2C adapter") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/i2c/busses/i2c-dln2.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/i2c/busses/i2c-dln2.c b/drivers/i2c/busses/i2c-dln2.c > index 2a2089db71a5..14f4aeeb263d 100644 > --- a/drivers/i2c/busses/i2c-dln2.c > +++ b/drivers/i2c/busses/i2c-dln2.c > @@ -83,6 +83,9 @@ static int dln2_i2c_write(struct dln2_i2c *dln2, u8 addr, > > BUILD_BUG_ON(sizeof(*tx) > DLN2_I2C_BUF_SIZE); > > + if (data_len > sizeof(tx->buf)) > + return -EINVAL; Never mind. This is checked in i2c_check_for_quirks() so the patch is not required. My bad. regards, dan carpenter
diff --git a/drivers/i2c/busses/i2c-dln2.c b/drivers/i2c/busses/i2c-dln2.c index 2a2089db71a5..14f4aeeb263d 100644 --- a/drivers/i2c/busses/i2c-dln2.c +++ b/drivers/i2c/busses/i2c-dln2.c @@ -83,6 +83,9 @@ static int dln2_i2c_write(struct dln2_i2c *dln2, u8 addr, BUILD_BUG_ON(sizeof(*tx) > DLN2_I2C_BUF_SIZE); + if (data_len > sizeof(tx->buf)) + return -EINVAL; + tx->port = dln2->port; tx->addr = addr; tx->mem_addr_len = 0;
The "data_len" value is use controlled via the ioctl. It needs to be bounds checked to prevent a buffer overflow. Fixes: db23e5001f75 ("i2c: add support for Diolan DLN-2 USB-I2C adapter") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/i2c/busses/i2c-dln2.c | 3 +++ 1 file changed, 3 insertions(+)