Skip to content

Commit

Permalink
i2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transacti…
Browse files Browse the repository at this point in the history 
…on()

memcpy() is called in a loop while 'operation->length' upper bound
is not checked and 'data_idx' also increments.

Fixes: b5b5b32 ("i2c: mlxbf: I2C SMBus driver for Mellanox BlueField SoC")
Reviewed-by: Khalil Blaiech <kblaiech@nvidia.com>
Signed-off-by: Asmaa Mnebhi <asmaa@nvidia.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
  • Loading branch information
@wsakernel
Asmaa Mnebhi authored and wsakernel committed Sep 17, 2022
1 parent 2a5be6d commit de24ace
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions drivers/i2c/busses/i2c-mlxbf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -738,6 +738,9 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv,
if (flags & MLXBF_I2C_F_WRITE) {
write_en = 1;
write_len += operation->length;
if (data_idx + operation->length >
MLXBF_I2C_MASTER_DATA_DESC_SIZE)
return -ENOBUFS;
memcpy(data_desc + data_idx,
operation->buffer, operation->length);
data_idx += operation->length;
Expand Down

0 comments on commit de24ace

Please sign in to comment.