The "data_len" value is use controlled via the ioctl. It needs to
be bounds checked to prevent a buffer overflow.
Fixes: db23e5001f75 ("i2c: add support for Diolan DLN-2 USB-I2C adapter")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/i2c/busses/i2c-dln2.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-dln2.c b/drivers/i2c/busses/i2c-dln2.c
index 2a2089db71a5..14f4aeeb263d 100644
--- a/drivers/i2c/busses/i2c-dln2.c
+++ b/drivers/i2c/busses/i2c-dln2.c
@@ -83,6 +83,9 @@ static int dln2_i2c_write(struct dln2_i2c *dln2, u8 addr,
BUILD_BUG_ON(sizeof(*tx) > DLN2_I2C_BUF_SIZE);
+ if (data_len > sizeof(tx->buf))
+ return -EINVAL;
+
tx->port = dln2->port;
tx->addr = addr;
tx->mem_addr_len = 0;
--
2.35.1
