diff mbox series

i2c: dln2: prevent buffer overflow in dln2_i2c_write()

Message ID Y0bUYc2fadLgoQfZ@kili
State New
Headers show
Series i2c: dln2: prevent buffer overflow in dln2_i2c_write() | expand

Commit Message

Dan Carpenter Oct. 12, 2022, 2:51 p.m. UTC
The "data_len" value is use controlled via the ioctl.  It needs to
be bounds checked to prevent a buffer overflow.

Fixes: db23e5001f75 ("i2c: add support for Diolan DLN-2 USB-I2C adapter")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/i2c/busses/i2c-dln2.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Dan Carpenter Oct. 14, 2022, 2:25 p.m. UTC | #1
On Wed, Oct 12, 2022 at 05:51:13PM +0300, Dan Carpenter wrote:
> The "data_len" value is use controlled via the ioctl.  It needs to
> be bounds checked to prevent a buffer overflow.
> 
> Fixes: db23e5001f75 ("i2c: add support for Diolan DLN-2 USB-I2C adapter")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/i2c/busses/i2c-dln2.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/i2c/busses/i2c-dln2.c b/drivers/i2c/busses/i2c-dln2.c
> index 2a2089db71a5..14f4aeeb263d 100644
> --- a/drivers/i2c/busses/i2c-dln2.c
> +++ b/drivers/i2c/busses/i2c-dln2.c
> @@ -83,6 +83,9 @@ static int dln2_i2c_write(struct dln2_i2c *dln2, u8 addr,
>  
>  	BUILD_BUG_ON(sizeof(*tx) > DLN2_I2C_BUF_SIZE);
>  
> +	if (data_len > sizeof(tx->buf))
> +		return -EINVAL;

Never mind.  This is checked in i2c_check_for_quirks() so the patch is
not required.  My bad.

regards,
dan carpenter
diff mbox series

Patch

diff --git a/drivers/i2c/busses/i2c-dln2.c b/drivers/i2c/busses/i2c-dln2.c
index 2a2089db71a5..14f4aeeb263d 100644
--- a/drivers/i2c/busses/i2c-dln2.c
+++ b/drivers/i2c/busses/i2c-dln2.c
@@ -83,6 +83,9 @@  static int dln2_i2c_write(struct dln2_i2c *dln2, u8 addr,
 
 	BUILD_BUG_ON(sizeof(*tx) > DLN2_I2C_BUF_SIZE);
 
+	if (data_len > sizeof(tx->buf))
+		return -EINVAL;
+
 	tx->port = dln2->port;
 	tx->addr = addr;
 	tx->mem_addr_len = 0;