[i2c] [patch 2.6.23-rc6] i2c-dev rejects I2C_M_RECV_LEN
Jean Delvare
khali at linux-fr.org
Fri Sep 28 09:50:56 CEST 2007
Hi David,
On Sun, 16 Sep 2007 22:00:33 -0700, David Brownell wrote:
> The I2C_M_RECV_LEN calling convention for i2c_mesg.flags involves
> playing games with reported buffer lengths. (They start out less
> than their actual size, and the length is then modified to reflect
> how many bytes were delivered ... which one hopes is less than the
> presumed actual size.) Refuse to play such error prone games across
> the boundary between userspace and kernel.
>
> Signed-off-by: David Brownell <dbrownell at users.sourceforge.net>
> ---
> drivers/i2c/i2c-dev.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> --- g26.orig/drivers/i2c/i2c-dev.c 2007-09-11 10:24:24.000000000 -0700
> +++ g26/drivers/i2c/i2c-dev.c 2007-09-11 10:27:02.000000000 -0700
> @@ -264,8 +264,11 @@ static int i2cdev_ioctl(struct inode *in
>
> res = 0;
> for( i=0; i<rdwr_arg.nmsgs; i++ ) {
> - /* Limit the size of the message to a sane amount */
> - if (rdwr_pa[i].len > 8192) {
> + /* Limit the size of the message to a sane amount;
> + * and don't let length change either.
> + */
> + if ((rdwr_pa[i].flags & I2C_M_RECV_LEN)
> + || (rdwr_pa[i].len > 8192)) {
> res = -EINVAL;
> break;
> }
Applied (with minor formatting changes), thank you.
--
Jean Delvare
More information about the i2c
mailing list