i2c-dev: Reject I2C_M_RECV_LEN

The I2C_M_RECV_LEN calling convention for i2c_mesg.flags involves playing games with reported buffer lengths. (They start out less than their actual size, and the length is then modified to reflect how many bytes were delivered ... which one hopes is less than the presumed actual size.) Refuse to play such error prone games across the boundary between userspace and kernel. Signed-off-by: N David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: N Jean Delvare <khali@linux-fr.org>

i2c-dev: Reject I2C_M_RECV_LEN
The I2C_M_RECV_LEN calling convention for i2c_mesg.flags involves playing games with reported buffer lengths. (They start out less than their actual size, and the length is then modified to reflect how many bytes were delivered ... which one hopes is less than the presumed actual size.) Refuse to play such error prone games across the boundary between userspace and kernel. Signed-off-by: N David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: N Jean Delvare <khali@linux-fr.org>
e265cfa1 · David Brownell · Jean Delvare · 9d90c1fd · e265cfa1
隐藏空白更改
内联并排

Showing with 4 addition and 2 deletion

drivers/i2c/i2c-dev.c drivers/i2c/i2c-dev.c +4 -2

未找到文件。
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -226,8 +226,10 @@ static int i2cdev_ioctl(struct inode *inode, struct file *file,

 		res = 0;
 		for( i=0; i<rdwr_arg.nmsgs; i++ ) {
-			/* Limit the size of the message to a sane amount */
-			if (rdwr_pa[i].len > 8192) {
+			/* Limit the size of the message to a sane amount;
+			 * and don't let length change either. */
+			if ((rdwr_pa[i].len > 8192) ||
+			    (rdwr_pa[i].flags & I2C_M_RECV_LEN)) {
 				res = -EINVAL;
 				break;
 			}