[PATCH] i2c: dln2: prevent buffer overflow in dln2_i2c

public inbox for linux-i2c@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] i2c: dln2: prevent buffer overflow in dln2_i2c_write()
@ 2022-10-12 14:51 Dan Carpenter
  2022-10-14 14:25 ` Dan Carpenter
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2022-10-12 14:51 UTC (permalink / raw)
  To: Wolfram Sang
  Cc: Johan Hovold, Lee Jones, Octavian Purdila, Laurentiu Palcu,
	linux-i2c, kernel-janitors

The "data_len" value is use controlled via the ioctl.  It needs to
be bounds checked to prevent a buffer overflow.

Fixes: db23e5001f75 ("i2c: add support for Diolan DLN-2 USB-I2C adapter")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/i2c/busses/i2c-dln2.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-dln2.c b/drivers/i2c/busses/i2c-dln2.c
index 2a2089db71a5..14f4aeeb263d 100644
--- a/drivers/i2c/busses/i2c-dln2.c
+++ b/drivers/i2c/busses/i2c-dln2.c
@@ -83,6 +83,9 @@ static int dln2_i2c_write(struct dln2_i2c *dln2, u8 addr,
 
 	BUILD_BUG_ON(sizeof(*tx) > DLN2_I2C_BUF_SIZE);
 
+	if (data_len > sizeof(tx->buf))
+		return -EINVAL;
+
 	tx->port = dln2->port;
 	tx->addr = addr;
 	tx->mem_addr_len = 0;
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] i2c: dln2: prevent buffer overflow in dln2_i2c_write()
  2022-10-12 14:51 [PATCH] i2c: dln2: prevent buffer overflow in dln2_i2c_write() Dan Carpenter
@ 2022-10-14 14:25 ` Dan Carpenter
  0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2022-10-14 14:25 UTC (permalink / raw)
  To: Wolfram Sang
  Cc: Johan Hovold, Lee Jones, Octavian Purdila, Laurentiu Palcu,
	linux-i2c, kernel-janitors

On Wed, Oct 12, 2022 at 05:51:13PM +0300, Dan Carpenter wrote:
> The "data_len" value is use controlled via the ioctl.  It needs to
> be bounds checked to prevent a buffer overflow.
> 
> Fixes: db23e5001f75 ("i2c: add support for Diolan DLN-2 USB-I2C adapter")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/i2c/busses/i2c-dln2.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/i2c/busses/i2c-dln2.c b/drivers/i2c/busses/i2c-dln2.c
> index 2a2089db71a5..14f4aeeb263d 100644
> --- a/drivers/i2c/busses/i2c-dln2.c
> +++ b/drivers/i2c/busses/i2c-dln2.c
> @@ -83,6 +83,9 @@ static int dln2_i2c_write(struct dln2_i2c *dln2, u8 addr,
>  
>  	BUILD_BUG_ON(sizeof(*tx) > DLN2_I2C_BUF_SIZE);
>  
> +	if (data_len > sizeof(tx->buf))
> +		return -EINVAL;

Never mind.  This is checked in i2c_check_for_quirks() so the patch is
not required.  My bad.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-10-14 14:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-12 14:51 [PATCH] i2c: dln2: prevent buffer overflow in dln2_i2c_write() Dan Carpenter
2022-10-14 14:25 ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox