@@ -757,6 +757,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
for (i = 0; i < num; i++) {
addr = msgs[i].addr << 1;
+ if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+ ret = -EIO;
+ goto err;
+ }
if (((i + 1) < num)
&& (msgs[i].len == 1)
&& ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -788,10 +792,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
addr, msgs[i].len);
- if (msgs[i].len < 1) {
- ret = -EIO;
- goto err;
- }
req = AZ6007_I2C_WR;
index = msgs[i].buf[0];
value = addr | (1 << 8);
@@ -806,10 +806,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
addr, msgs[i].len);
- if (msgs[i].len < 1) {
- ret = -EIO;
- goto err;
- }
req = AZ6007_I2C_RD;
index = msgs[i].buf[0];
value = addr;
@@ -825,7 +821,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
}
err:
mutex_unlock(&st->mutex);
-
if (ret < 0) {
pr_info("%s ERROR: %i\n", __func__, ret);
return ret;
I2C messages should not be longer than a couple of hundred bytes. However, despite this very unlikely scenario, it can happen and in this case, this could lead to a buffer overflow in i2c_xfer. Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-)