Fixes: 98189a0adfa0 ("HID: ft260: add usb hid to i2c host bridge driver")
The SMbus block transaction limits the number of bytes transferred to 32,
but nothing prevents a user from specifying via ioctl a larger data size
than the ft260 can handle in a single transfer.
i2cdev_ioctl_smbus()
--> i2c_smbus_xfer
--> __i2c_smbus_xfer
--> ft260_smbus_xfer
--> ft260_smbus_write
This patch adds data size checking in the ft260_smbus_write().
Signed-off-by: Michael Zaidman <michael.zaid...@gmail.com>
Reported-by: Dan Carpenter <dan.carpen...@oracle.com>
---
drivers/hid/hid-ft260.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c
index 047aa85a7c83..080623b3abbe 100644
--- a/drivers/hid/hid-ft260.c
+++ b/drivers/hid/hid-ft260.c
@@ -201,7 +201,7 @@ struct ft260_i2c_write_request_report {
u8 address; /* 7-bit I2C address */
u8 flag; /* I2C transaction condition */
u8 length; /* data payload length */
- u8 data[60]; /* data payload */
+ u8 data[FT260_WR_DATA_MAX]; /* data payload */
} __packed;
struct ft260_i2c_read_request_report {
@@ -429,6 +429,9 @@ static int ft260_smbus_write(struct ft260_device *dev, u8
addr, u8 cmd,
struct ft260_i2c_write_request_report *rep =
(struct ft260_i2c_write_request_report *)dev->write_buf;
+ if (data_len >= sizeof(rep->data))
+ return -EINVAL;
+
rep->address = addr;
rep->data[0] = cmd;
rep->length = data_len + 1;
--
2.25.1
