[PATCH 1/4] hwmon: (tps53679) Fix array access with zero-length block read

Next message: Pradhan, Sanman: "[PATCH 4/4] hwmon: (ltc4286) Add missing MODULE_IMPORT_NS(&quot;PMBUS&quot;)"
Previous message: Pradhan, Sanman: "[PATCH 3/4] hwmon: (pxe1610) Check return value of page-select write in probe"
In reply to: Guenter Roeck: "Re: [PATCH 3/4] hwmon: (pxe1610) Check return value of page-select write in probe"
Next in thread: Guenter Roeck: "Re: [PATCH 1/4] hwmon: (tps53679) Fix array access with zero-length block read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pradhan, Sanman

Date: Sun Mar 29 2026 - 13:11:47 EST

From: Sanman Pradhan <psanman@xxxxxxxxxxx>

i2c_smbus_read_block_data() can return 0, indicating a zero-length
read. When this happens, tps53679_identify_chip() accesses buf[ret - 1]
which is buf[-1], reading one byte before the buffer on the stack.

Fix by changing the check from "ret < 0" to "ret <= 0", treating a
zero-length read as an error (-EIO), which prevents the out-of-bounds
array access.

Also fix a typo in the adjacent comment: "if present" instead of
duplicate "if".

Fixes: 75ca1e5875fe ("hwmon: (pmbus/tps53679) Add support for TPS53685")
Signed-off-by: Sanman Pradhan <psanman@xxxxxxxxxxx>
---
drivers/hwmon/pmbus/tps53679.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/hwmon/pmbus/tps53679.c b/drivers/hwmon/pmbus/tps53679.c
index df2726659a4e..1a6abc32afe2 100644
--- a/drivers/hwmon/pmbus/tps53679.c
+++ b/drivers/hwmon/pmbus/tps53679.c
@@ -103,10 +103,10 @@ static int tps53679_identify_chip(struct i2c_client *client,
}

ret = i2c_smbus_read_block_data(client, PMBUS_IC_DEVICE_ID, buf);
- if (ret < 0)
- return ret;
+ if (ret <= 0)
+ return ret < 0 ? ret : -EIO;

- /* Adjust length if null terminator if present */
+ /* Adjust length if null terminator is present */
buf_len = (buf[ret - 1] != '\x00' ? ret : ret - 1);

id_len = strlen(id);
--
2.34.1