linux/drivers/i2c
Marek Roszko 75b81f339c i2c: at91: add bound checking on SMBus block length bytes
The driver was not bound checking the received length byte to ensure it was within the
the buffer size that is allocated for SMBus blocks. This resulted in buffer overflows
whenever an invalid length byte was received.
It also failed to ensure the length byte was not zero. If it received zero, it would end up
in an infinite loop as the at91_twi_read_next_byte function returned immediately without
allowing RHR to be read to clear the RXRDY interrupt.

Tested agaisnt a SMBus compliant battery.

Signed-off-by: Marek Roszko <mark.roszko@gmail.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
2014-09-02 14:29:33 +02:00
..
algos Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2014-01-29 19:56:20 -08:00
busses i2c: at91: add bound checking on SMBus block length bytes 2014-09-02 14:29:33 +02:00
muxes Merge branch 'i2c/for-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2014-08-09 09:15:07 -07:00
Kconfig i2c: rework kernel config I2C_ACPI 2014-08-19 10:19:39 -05:00
Makefile i2c: rework kernel config I2C_ACPI 2014-08-19 10:19:39 -05:00
i2c-acpi.c i2c: rework kernel config I2C_ACPI 2014-08-19 10:19:39 -05:00
i2c-boardinfo.c i2c: Update the FSF address 2012-03-26 21:47:19 +02:00
i2c-core.c Merge branch 'i2c/for-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2014-08-09 09:15:07 -07:00
i2c-core.h i2c: Update the FSF address 2012-03-26 21:47:19 +02:00
i2c-dev.c i2c: i2c-dev: Create 'name' attribute automatically 2013-09-30 06:02:31 +02:00
i2c-mux.c i2c: mux: Inherit retry count and timeout from parent for muxed bus 2013-12-12 22:39:28 +01:00
i2c-smbus.c Update Jean Delvare's e-mail address 2014-01-29 20:40:08 +01:00
i2c-stub.c i2c: stub: Avoid an array overrun on I2C block transfers 2014-07-20 13:25:29 +02:00