Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932614AbbDMPmD (ORCPT ); Mon, 13 Apr 2015 11:42:03 -0400 Received: from mga02.intel.com ([134.134.136.20]:39570 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932101AbbDMPl4 (ORCPT ); Mon, 13 Apr 2015 11:41:56 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.11,570,1422950400"; d="scan'208";a="712941115" From: Irina Tirdea To: Jonathan Cameron , linux-iio@vger.kernel.org, Hartmut Knaack Cc: linux-kernel@vger.kernel.org, Vlad Dogaru , Irina Tirdea Subject: [PATCH v2 03/17] iio: accel: mma9551_core: prevent buffer overrun Date: Mon, 13 Apr 2015 18:40:50 +0300 Message-Id: <1428939664-12503-4-git-send-email-irina.tirdea@intel.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1428939664-12503-1-git-send-email-irina.tirdea@intel.com> References: <1428939664-12503-1-git-send-email-irina.tirdea@intel.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2466 Lines: 70 The mma9551 functions that read/write word arrays from the device have a limit for the buffer size given by the device specifications. Check that the requested buffer length is within required limits when transferring word arrays. This will prevent buffer overrun in the mma9551_read/write_*_words functions and also in the mma9551_transfer call when writing into the MBOX response/request structure. Signed-off-by: Irina Tirdea Reported-by: Hartmut Knaack --- drivers/iio/accel/mma9551_core.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c index 7f55a6d..c6d5a3a 100644 --- a/drivers/iio/accel/mma9551_core.c +++ b/drivers/iio/accel/mma9551_core.c @@ -389,7 +389,12 @@ int mma9551_read_config_words(struct i2c_client *client, u8 app_id, { int ret, i; int len_words = len / sizeof(u16); - __be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS]; + __be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS / 2]; + + if (len_words > ARRAY_SIZE(be_buf)) { + dev_err(&client->dev, "Invalid buffer size %d\n", len); + return -EINVAL; + } ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_CONFIG, reg, NULL, 0, (u8 *) be_buf, len); @@ -424,7 +429,12 @@ int mma9551_read_status_words(struct i2c_client *client, u8 app_id, { int ret, i; int len_words = len / sizeof(u16); - __be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS]; + __be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS / 2]; + + if (len_words > ARRAY_SIZE(be_buf)) { + dev_err(&client->dev, "Invalid buffer size %d\n", len); + return -EINVAL; + } ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_STATUS, reg, NULL, 0, (u8 *) be_buf, len); @@ -459,7 +469,12 @@ int mma9551_write_config_words(struct i2c_client *client, u8 app_id, { int i; int len_words = len / sizeof(u16); - __be16 be_buf[MMA9551_MAX_MAILBOX_DATA_REGS]; + __be16 be_buf[(MMA9551_MAX_MAILBOX_DATA_REGS - 1) / 2]; + + if (len_words > ARRAY_SIZE(be_buf)) { + dev_err(&client->dev, "Invalid buffer size %d\n", len); + return -EINVAL; + } for (i = 0; i < len_words; i++) be_buf[i] = cpu_to_be16(buf[i]); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/