On Thu, 17 Jul 2014 10:57:49 -0700, Guenter Roeck wrote: > On Thu, Jul 17, 2014 at 07:27:20PM +0200, Wolfram Sang wrote: > > On Sun, Jul 13, 2014 at 05:17:17PM +0200, Jean Delvare wrote: > > > I2C block transfers can have a size up to 32 bytes. If starting close > > > > Shouldn't that be "256 bytes"? 32 is SMBUS transfer size? Otherwise I > > don't understand the patch. > > If I understand correctly, this is still an SMBus command, which is limited > to 32 bytes. Maybe the description should read "SMBus I2C block transfers ...". That's correct, "I2C block transfers" despite the name really are SMBus-style transfers and the SMBus buffer size limit of 32 bytes thus applies. With this clarified, Wolfram, what is is that you do not understand? The start of the block transfer can be anywhere in 0-255, and the size can be in 1-32, so without a boundary check, one can attempt to read or write up to offset 255 + 32 - 1 = 286, which is way beyond the the end of the chip->words array. My patch prevents that from happening. -- Jean Delvare SUSE L3 Support -- To unsubscribe from this list: send the line "unsubscribe linux-i2c" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
