Re: [PATCH] i2c-stub: Avoid an array overrun on I2C block transfers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 17 Jul 2014 10:57:49 -0700, Guenter Roeck wrote:
> On Thu, Jul 17, 2014 at 07:27:20PM +0200, Wolfram Sang wrote:
> > On Sun, Jul 13, 2014 at 05:17:17PM +0200, Jean Delvare wrote:
> > > I2C block transfers can have a size up to 32 bytes. If starting close
> > 
> > Shouldn't that be "256 bytes"? 32 is SMBUS transfer size? Otherwise I
> > don't understand the patch.
>
> If I understand correctly, this is still an SMBus command, which is limited
> to 32 bytes. Maybe the description should read "SMBus I2C block transfers ...".

That's correct, "I2C block transfers" despite the name really are
SMBus-style transfers and the SMBus buffer size limit of 32 bytes thus
applies.

With this clarified, Wolfram, what is is that you do not understand?
The start of the block transfer can be anywhere in 0-255, and the size
can be in 1-32, so without a boundary check, one can attempt to read or
write up to offset 255 + 32 - 1 = 286, which is way beyond the
the end of the chip->words array. My patch prevents that from happening.

-- 
Jean Delvare
SUSE L3 Support
--
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux GPIO]     [Linux SPI]     [Linux Hardward Monitoring]     [LM Sensors]     [Linux USB Devel]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux