aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean Delvare <khali@linux-fr.org>2006-07-01 11:06:43 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2006-07-12 18:43:06 -0400
commitc3efacaa68a75049a859cbfd03d52dfdebb7527b (patch)
treeda3110f8c6754c55edd758d1d1bd1607e13cc322
parentfd627a01477dadaef3bc8556e5e9d0ef80310c3a (diff)
[PATCH] scx200_acb: Fix the block transactions
The scx200_acb i2c bus driver pretends to support SMBus block transactions, but in fact it implements the more simple I2C block transactions. Additionally, it lacks sanity checks on the length of the block transactions, which could lead to a buffer overrun. This fixes an oops reported by Alexander Atanasov: http://marc.theaimsgroup.com/?l=linux-kernel&m=114970382125094 Thanks to Ben Gardner for fixing my bugs :) Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/i2c/busses/scx200_acb.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/i2c/busses/scx200_acb.c b/drivers/i2c/busses/scx200_acb.c
index 454086affaa1..ced309ff056f 100644
--- a/drivers/i2c/busses/scx200_acb.c
+++ b/drivers/i2c/busses/scx200_acb.c
@@ -307,8 +307,12 @@ static s32 scx200_acb_smbus_xfer(struct i2c_adapter *adapter,
307 buffer = (u8 *)&cur_word; 307 buffer = (u8 *)&cur_word;
308 break; 308 break;
309 309
310 case I2C_SMBUS_BLOCK_DATA: 310 case I2C_SMBUS_I2C_BLOCK_DATA:
311 if (rw == I2C_SMBUS_READ)
312 data->block[0] = I2C_SMBUS_BLOCK_MAX; /* For now */
311 len = data->block[0]; 313 len = data->block[0];
314 if (len == 0 || len > I2C_SMBUS_BLOCK_MAX)
315 return -EINVAL;
312 buffer = &data->block[1]; 316 buffer = &data->block[1];
313 break; 317 break;
314 318
@@ -372,7 +376,7 @@ static u32 scx200_acb_func(struct i2c_adapter *adapter)
372{ 376{
373 return I2C_FUNC_SMBUS_QUICK | I2C_FUNC_SMBUS_BYTE | 377 return I2C_FUNC_SMBUS_QUICK | I2C_FUNC_SMBUS_BYTE |
374 I2C_FUNC_SMBUS_BYTE_DATA | I2C_FUNC_SMBUS_WORD_DATA | 378 I2C_FUNC_SMBUS_BYTE_DATA | I2C_FUNC_SMBUS_WORD_DATA |
375 I2C_FUNC_SMBUS_BLOCK_DATA; 379 I2C_FUNC_SMBUS_I2C_BLOCK;
376} 380}
377 381
378/* For now, we only handle combined mode (smbus) */ 382/* For now, we only handle combined mode (smbus) */