On Wed, Oct 12, 2022 at 05:51:13PM +0300, Dan Carpenter wrote:
> The "data_len" value is use controlled via the ioctl. It needs to
> be bounds checked to prevent a buffer overflow.
>
> Fixes: db23e5001f75 ("i2c: add support for Diolan DLN-2 USB-I2C adapter")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/i2c/busses/i2c-dln2.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/i2c/busses/i2c-dln2.c b/drivers/i2c/busses/i2c-dln2.c
> index 2a2089db71a5..14f4aeeb263d 100644
> --- a/drivers/i2c/busses/i2c-dln2.c
> +++ b/drivers/i2c/busses/i2c-dln2.c
> @@ -83,6 +83,9 @@ static int dln2_i2c_write(struct dln2_i2c *dln2, u8 addr,
>
> BUILD_BUG_ON(sizeof(*tx) > DLN2_I2C_BUF_SIZE);
>
> + if (data_len > sizeof(tx->buf))
> + return -EINVAL;
Never mind. This is checked in i2c_check_for_quirks() so the patch is
not required. My bad.
regards,
dan carpenter
