[BUG] i2c-viapro oops on bad SMBus Block Read
Mark M. Hoffman
mhoffman at lightlink.com
Wed Aug 6 04:50:20 CEST 2003
* Sergey Vlasov <vsu at altlinux.ru> [2003-08-05 21:07:54 +0400]:
> Hello!
>
> I have found a reproducible bug in i2c-viapro (lm_sensors-2.8.0). When
> the device replies to SMBus Block Read with an absurdly large length,
> this driver accepts it without checking and overruns the data buffer.
> Tried with VT8325 and VT82C686.
<snip>
Are you interested in CVS commit privileges? You'll certainly get my vote.
Of course we could use the help especially now (upcoming sync w/ 2.4,
driver porting and userspace re-write for 2.6, etc.) Please contact
Philip Edelbrock <phil at netroedge.com> privately for username/password,
and also to join the mailing list if you haven't already.
> --- lm_sensors-2.8.0/kernel/busses/i2c-viapro.c.viapro-buffer-overrun 2003-07-03 05:30:13 +0400
> +++ lm_sensors-2.8.0/kernel/busses/i2c-viapro.c 2003-08-05 20:46:25 +0400
> @@ -271,6 +271,8 @@
> break;
> case VT596_BLOCK_DATA:
> data->block[0] = inb_p(SMBHSTDAT0);
> + if (data->block[0] > 32)
> + data->block[0] = 32;
> i = inb_p(SMBHSTCNT); /* Reset SMBBLKDAT */
> for (i = 1; i <= data->block[0]; i++)
> data->block[i] = inb_p(SMBBLKDAT);
I'll commit this patch now.
Regards,
--
Mark M. Hoffman
mhoffman at lightlink.com
More information about the lm-sensors
mailing list