From e265cfa19c1220938de5f0291ed8d549a523de3c Mon Sep 17 00:00:00 2001 From: David Brownell Date: Sat, 13 Oct 2007 23:56:31 +0200 Subject: i2c-dev: Reject I2C_M_RECV_LEN The I2C_M_RECV_LEN calling convention for i2c_mesg.flags involves playing games with reported buffer lengths. (They start out less than their actual size, and the length is then modified to reflect how many bytes were delivered ... which one hopes is less than the presumed actual size.) Refuse to play such error prone games across the boundary between userspace and kernel. Signed-off-by: David Brownell Signed-off-by: Jean Delvare --- drivers/i2c/i2c-dev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'drivers/i2c') diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c index 64eee9551b22..df6e14c192d6 100644 --- a/drivers/i2c/i2c-dev.c +++ b/drivers/i2c/i2c-dev.c @@ -226,8 +226,10 @@ static int i2cdev_ioctl(struct inode *inode, struct file *file, res = 0; for( i=0; i 8192) { + /* Limit the size of the message to a sane amount; + * and don't let length change either. */ + if ((rdwr_pa[i].len > 8192) || + (rdwr_pa[i].flags & I2C_M_RECV_LEN)) { res = -EINVAL; break; } -- cgit v1.2.3