forked from Minki/linux
iio: accel: mma9551_core: prevent buffer overrun
The mma9551 functions that read/write word arrays from the device have a limit for the buffer size given by the device specifications. Check that the requested buffer length is within required limits when transferring word arrays. This will prevent buffer overrun in the mma9551_read/write_*_words functions and also in the mma9551_transfer call when writing into the MBOX response/request structure. Signed-off-by: Irina Tirdea <irina.tirdea@intel.com> Reported-by: Hartmut Knaack <knaack.h@gmx.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
This commit is contained in:
parent
cd62322a97
commit
2a4d20322d
@ -389,7 +389,12 @@ int mma9551_read_config_words(struct i2c_client *client, u8 app_id,
|
||||
{
|
||||
int ret, i;
|
||||
int len_words = len / sizeof(u16);
|
||||
__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS];
|
||||
__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS / 2];
|
||||
|
||||
if (len_words > ARRAY_SIZE(be_buf)) {
|
||||
dev_err(&client->dev, "Invalid buffer size %d\n", len);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_CONFIG,
|
||||
reg, NULL, 0, (u8 *) be_buf, len);
|
||||
@ -424,7 +429,12 @@ int mma9551_read_status_words(struct i2c_client *client, u8 app_id,
|
||||
{
|
||||
int ret, i;
|
||||
int len_words = len / sizeof(u16);
|
||||
__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS];
|
||||
__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS / 2];
|
||||
|
||||
if (len_words > ARRAY_SIZE(be_buf)) {
|
||||
dev_err(&client->dev, "Invalid buffer size %d\n", len);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_STATUS,
|
||||
reg, NULL, 0, (u8 *) be_buf, len);
|
||||
@ -459,7 +469,12 @@ int mma9551_write_config_words(struct i2c_client *client, u8 app_id,
|
||||
{
|
||||
int i;
|
||||
int len_words = len / sizeof(u16);
|
||||
__be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS];
|
||||
__be16 be_buf[(MMA9551_MAX_MAILBOX_DATA_REGS - 1) / 2];
|
||||
|
||||
if (len_words > ARRAY_SIZE(be_buf)) {
|
||||
dev_err(&client->dev, "Invalid buffer size %d\n", len);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
for (i = 0; i < len_words; i++)
|
||||
be_buf[i] = cpu_to_be16(buf[i]);
|
||||
|
Loading…
Reference in New Issue
Block a user