The data->block[0] variable comes from user and is a number between
0-255. Without proper check, the variable may be very large to cause
an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.
Fix this bug by checking the value of data->block[0].
Signed-off-by: Wei Chen <harperchen1110@xxxxxxxxx>
---
drivers/i2c/busses/i2c-xgene-slimpro.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c
index 63259b3ea5ab..bc9a3e7e0c96 100644
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
@@ -391,6 +391,10 @@ static int xgene_slimpro_i2c_xfer(struct i2c_adapter *adap, u16 addr,
&data->block[0]);
} else {
+
+ if (data->block[0] + 1 > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
ret = slimpro_i2c_blkwr(ctx, addr, command,
SMBUS_CMD_LEN,
SLIMPRO_IIC_SMB_PROTOCOL,
@@ -408,6 +412,10 @@ static int xgene_slimpro_i2c_xfer(struct i2c_adapter *adap, u16 addr,
IIC_SMB_WITHOUT_DATA_LEN,
&data->block[1]);
} else {
+
+ if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
ret = slimpro_i2c_blkwr(ctx, addr, command,
SMBUS_CMD_LEN,
SLIMPRO_IIC_I2C_PROTOCOL,
--
2.25.1
