On Wed, 6 Aug 2003 08:47:49 +0200 Jean Delvare <khali at linux-fr.org> wrote: > > > I have found a reproducible bug in i2c-viapro (lm_sensors-2.8.0). > > > When the device replies to SMBus Block Read with an absurdly large > > > length, this driver accepts it without checking and overruns the > > > data buffer. Tried with VT8325 and VT82C686. > > (...) > > I'll commit this patch now. > > The fix should use I2C_SMBUS_BLOCK_MAX as defined in linux/i2c.h. Then the block write case should be modified too. > Also, I think I'd prefer to return an error than to truncate silently, > but that may be discussed. I also think it would be better - I just followed the example in the block write handling, which truncates the block. > Also (just in case), isn't it possible to fix that at a lower level (in > i2c-core maybe) so that we don't have to check it later in all drivers? For reads, no - only the driver can check the length returned by the controller before copying data into the buffer. For writes the check can be made in i2c-core.
