]> err.no Git - linux-2.6/commitdiff
i2c-dev: Reject I2C_M_RECV_LEN
authorDavid Brownell <david-b@pacbell.net>
Sat, 13 Oct 2007 21:56:31 +0000 (23:56 +0200)
committerJean Delvare <khali@hyperion.delvare>
Sat, 13 Oct 2007 21:56:31 +0000 (23:56 +0200)
The I2C_M_RECV_LEN calling convention for i2c_mesg.flags involves
playing games with reported buffer lengths.  (They start out less
than their actual size, and the length is then modified to reflect
how many bytes were delivered ... which one hopes is less than the
presumed actual size.)  Refuse to play such error prone games across
the boundary between userspace and kernel.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
drivers/i2c/i2c-dev.c

index 64eee9551b2203f73654890921e766c4a7608c31..df6e14c192d69b2d735785bb7b14280c48f7cd40 100644 (file)
@@ -226,8 +226,10 @@ static int i2cdev_ioctl(struct inode *inode, struct file *file,
 
                res = 0;
                for( i=0; i<rdwr_arg.nmsgs; i++ ) {
-                       /* Limit the size of the message to a sane amount */
-                       if (rdwr_pa[i].len > 8192) {
+                       /* Limit the size of the message to a sane amount;
+                        * and don't let length change either. */
+                       if ((rdwr_pa[i].len > 8192) ||
+                           (rdwr_pa[i].flags & I2C_M_RECV_LEN)) {
                                res = -EINVAL;
                                break;
                        }