[PATCH 2.4] I2C updates for 2.4.28 (3/5)
From: Jean Delvare
Date: Sat Nov 20 2004 - 07:27:57 EST
Original report and discussion:
http://marc.theaimsgroup.com/?l=linux-arm-kernel&m=109816546827995&w=2
http://marc.theaimsgroup.com/?l=linux-arm-kernel&m=109926079025024&w=2
Bottom line:
Two hardcoded buffer sizes in i2c_smbus_xfer_emulated (i2c-core) should
depend on I2C_SMBUS_BLOCK_MAX. Else increasing I2C_SMBUS_BLOCK_MAX (in
include/linux/i2c.h) will result in buffer overflows.
Credits go to Tehn Yit Chin for noticing the suspicious hardcoded
values.
Signed-off-by: Jean Delvare <khali@xxxxxxxxxxxx>
--- linux-2.4.28-rc1/drivers/i2c/i2c-core.c.orig 2004-10-27 23:45:48.000000000 +0200
+++ linux-2.4.28-rc1/drivers/i2c/i2c-core.c 2004-10-29 19:18:09.000000000 +0200
@@ -1098,8 +1098,8 @@
need to use only one message; when reading, we need two. We initialize
most things with sane defaults, to keep the code below somewhat
simpler. */
- unsigned char msgbuf0[34];
- unsigned char msgbuf1[34];
+ unsigned char msgbuf0[I2C_SMBUS_BLOCK_MAX+2];
+ unsigned char msgbuf1[I2C_SMBUS_BLOCK_MAX+2];
int num = read_write == I2C_SMBUS_READ?2:1;
struct i2c_msg msg[2] = { { addr, flags, 1, msgbuf0 },
{ addr, flags | I2C_M_RD, 0, msgbuf1 }
--
Jean Delvare
http://khali.linux-fr.org/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/