From mboxrd@z Thu Jan 1 00:00:00 1970 From: Guenter Roeck Subject: Re: [PATCH] i2c-stub: Avoid an array overrun on I2C block transfers Date: Sun, 13 Jul 2014 08:44:24 -0700 Message-ID: <53C2A958.8050702@roeck-us.net> References: <20140713171717.25497712@endymion.delvare> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20140713171717.25497712-R0o5gVi9kd7kN2dkZ6Wm7A@public.gmane.org> Sender: linux-i2c-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Jean Delvare , Linux I2C Cc: Wolfram Sang List-Id: linux-i2c@vger.kernel.org On 07/13/2014 08:17 AM, Jean Delvare wrote: > I2C block transfers can have a size up to 32 bytes. If starting close > to the end of the address space, there may not be enough room to write > that many bytes (on I2C block writes) or not enough bytes to be read > (on I2C block reads.) In that case, we must shorten the transfer so > that it does not exceed the address space. > > Signed-off-by: Jean Delvare > Cc: Guenter Roeck > Cc: Wolfram Sang > --- > drivers/i2c/i2c-stub.c | 2 ++ > 1 file changed, 2 insertions(+) > > --- linux-3.16-rc4.orig/drivers/i2c/i2c-stub.c 2014-07-12 11:56:30.933096483 +0200 > +++ linux-3.16-rc4/drivers/i2c/i2c-stub.c 2014-07-13 17:01:02.891235856 +0200 > @@ -220,6 +220,8 @@ static s32 stub_xfer(struct i2c_adapter > * We ignore banks here, because banked chips don't use I2C > * block transfers > */ > + if (data->block[0] > 256 - command) /* Avoid overrun */ > + data->block[0] = 256 - command; Hi Jean, is it safe to overwrite data->block[0], or should it be something like the following ? if (data->block[0] > 256 - command) /* Avoid overrun */ len = 256 - command; else len = data->block[0]; Also, wonder what happens in the real world if anyone does that. Would the write stop at offset 255, or would it wrap and write from 0 ? Thanks, Guenter