Commit de24aceb authored Sep 08, 2022 by Asmaa Mnebhi Committed by Wolfram Sang Sep 17, 2022

i2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()



memcpy() is called in a loop while 'operation->length' upper bound
is not checked and 'data_idx' also increments.

Fixes: b5b5b320 ("i2c: mlxbf: I2C SMBus driver for Mellanox BlueField SoC")
Reviewed-by: Khalil Blaiech <kblaiech@nvidia.com>
Signed-off-by: Asmaa Mnebhi <asmaa@nvidia.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>

parent 2a5be6d1

drivers/i2c/busses/i2c-mlxbf.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -738,6 +738,9 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv,
		if (flags & MLXBF_I2C_F_WRITE) {
		write_en = 1;
		write_len += operation->length;
		if (data_idx + operation->length >
		MLXBF_I2C_MASTER_DATA_DESC_SIZE)
		return -ENOBUFS;
		memcpy(data_desc + data_idx,
		operation->buffer, operation->length);
		data_idx += operation->length;