aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Brownell <david-b@pacbell.net>2007-10-13 17:56:31 -0400
committerJean Delvare <khali@hyperion.delvare>2007-10-13 17:56:31 -0400
commite265cfa19c1220938de5f0291ed8d549a523de3c (patch)
treead50706c7cbf75a9302b6e244b22d93babb415c1
parent9d90c1fd9bdbffb456d1b1ef05215343503fd0b0 (diff)
i2c-dev: Reject I2C_M_RECV_LEN
The I2C_M_RECV_LEN calling convention for i2c_mesg.flags involves playing games with reported buffer lengths. (They start out less than their actual size, and the length is then modified to reflect how many bytes were delivered ... which one hopes is less than the presumed actual size.) Refuse to play such error prone games across the boundary between userspace and kernel. Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Jean Delvare <khali@linux-fr.org>
-rw-r--r--drivers/i2c/i2c-dev.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 64eee9551b22..df6e14c192d6 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -226,8 +226,10 @@ static int i2cdev_ioctl(struct inode *inode, struct file *file,
226 226
227 res = 0; 227 res = 0;
228 for( i=0; i<rdwr_arg.nmsgs; i++ ) { 228 for( i=0; i<rdwr_arg.nmsgs; i++ ) {
229 /* Limit the size of the message to a sane amount */ 229 /* Limit the size of the message to a sane amount;
230 if (rdwr_pa[i].len > 8192) { 230 * and don't let length change either. */
231 if ((rdwr_pa[i].len > 8192) ||
232 (rdwr_pa[i].flags & I2C_M_RECV_LEN)) {
231 res = -EINVAL; 233 res = -EINVAL;
232 break; 234 break;
233 } 235 }