From: Jean Delvare <jdelvare-l3A5Bk7waGM@public.gmane.org>
To: Guenter Roeck <linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
Cc: Wolfram Sang <wsa-z923LK4zBo2bacvFa/9K2g@public.gmane.org>,
Linux I2C <linux-i2c-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] i2c-stub: Avoid an array overrun on I2C block transfers
Date: Thu, 17 Jul 2014 20:50:28 +0200 [thread overview]
Message-ID: <20140717205028.76c1bc66@endymion.delvare> (raw)
In-Reply-To: <20140717175749.GA25303-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
On Thu, 17 Jul 2014 10:57:49 -0700, Guenter Roeck wrote:
> On Thu, Jul 17, 2014 at 07:27:20PM +0200, Wolfram Sang wrote:
> > On Sun, Jul 13, 2014 at 05:17:17PM +0200, Jean Delvare wrote:
> > > I2C block transfers can have a size up to 32 bytes. If starting close
> >
> > Shouldn't that be "256 bytes"? 32 is SMBUS transfer size? Otherwise I
> > don't understand the patch.
>
> If I understand correctly, this is still an SMBus command, which is limited
> to 32 bytes. Maybe the description should read "SMBus I2C block transfers ...".
That's correct, "I2C block transfers" despite the name really are
SMBus-style transfers and the SMBus buffer size limit of 32 bytes thus
applies.
With this clarified, Wolfram, what is is that you do not understand?
The start of the block transfer can be anywhere in 0-255, and the size
can be in 1-32, so without a boundary check, one can attempt to read or
write up to offset 255 + 32 - 1 = 286, which is way beyond the
the end of the chip->words array. My patch prevents that from happening.
--
Jean Delvare
SUSE L3 Support
next prev parent reply other threads:[~2014-07-17 18:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-13 15:17 [PATCH] i2c-stub: Avoid an array overrun on I2C block transfers Jean Delvare
[not found] ` <20140713171717.25497712-R0o5gVi9kd7kN2dkZ6Wm7A@public.gmane.org>
2014-07-13 15:44 ` Guenter Roeck
[not found] ` <53C2A958.8050702-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
2014-07-13 16:24 ` Jean Delvare
[not found] ` <20140713182444.4b95224d-R0o5gVi9kd7kN2dkZ6Wm7A@public.gmane.org>
2014-07-13 16:42 ` Guenter Roeck
2014-07-17 17:27 ` Wolfram Sang
2014-07-17 17:57 ` Guenter Roeck
[not found] ` <20140717175749.GA25303-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
2014-07-17 18:50 ` Jean Delvare [this message]
[not found] ` <20140717205028.76c1bc66-R0o5gVi9kd7kN2dkZ6Wm7A@public.gmane.org>
2014-07-18 9:09 ` Wolfram Sang
2014-07-18 9:13 ` Wolfram Sang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140717205028.76c1bc66@endymion.delvare \
--to=jdelvare-l3a5bk7wagm@public.gmane.org \
--cc=linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org \
--cc=linux-i2c-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=wsa-z923LK4zBo2bacvFa/9K2g@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox