Commit fa1ecd8d authored by Mauro Carvalho Chehab's avatar Mauro Carvalho Chehab

[media] dib0700_core: don't use stack on I2C reads

Be sure that I2C reads won't use stack by passing
a pointer to the state buffer, that we know it was
allocated via kmalloc, instead of relying on the buffer
allocated by an I2C client.
Reviewed-by: default avatarPatrick Boettcher <patrick.boettcher@posteo.de>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
parent bd1f976c
...@@ -213,7 +213,7 @@ static int dib0700_i2c_xfer_new(struct i2c_adapter *adap, struct i2c_msg *msg, ...@@ -213,7 +213,7 @@ static int dib0700_i2c_xfer_new(struct i2c_adapter *adap, struct i2c_msg *msg,
usb_rcvctrlpipe(d->udev, 0), usb_rcvctrlpipe(d->udev, 0),
REQUEST_NEW_I2C_READ, REQUEST_NEW_I2C_READ,
USB_TYPE_VENDOR | USB_DIR_IN, USB_TYPE_VENDOR | USB_DIR_IN,
value, index, msg[i].buf, value, index, st->buf,
msg[i].len, msg[i].len,
USB_CTRL_GET_TIMEOUT); USB_CTRL_GET_TIMEOUT);
if (result < 0) { if (result < 0) {
...@@ -221,6 +221,14 @@ static int dib0700_i2c_xfer_new(struct i2c_adapter *adap, struct i2c_msg *msg, ...@@ -221,6 +221,14 @@ static int dib0700_i2c_xfer_new(struct i2c_adapter *adap, struct i2c_msg *msg,
break; break;
} }
if (msg[i].len > sizeof(st->buf)) {
deb_info("buffer too small to fit %d bytes\n",
msg[i].len);
return -EIO;
}
memcpy(msg[i].buf, st->buf, msg[i].len);
deb_data("<<< "); deb_data("<<< ");
debug_dump(msg[i].buf, msg[i].len, deb_data); debug_dump(msg[i].buf, msg[i].len, deb_data);
...@@ -238,6 +246,13 @@ static int dib0700_i2c_xfer_new(struct i2c_adapter *adap, struct i2c_msg *msg, ...@@ -238,6 +246,13 @@ static int dib0700_i2c_xfer_new(struct i2c_adapter *adap, struct i2c_msg *msg,
/* I2C ctrl + FE bus; */ /* I2C ctrl + FE bus; */
st->buf[3] = ((gen_mode << 6) & 0xC0) | st->buf[3] = ((gen_mode << 6) & 0xC0) |
((bus_mode << 4) & 0x30); ((bus_mode << 4) & 0x30);
if (msg[i].len > sizeof(st->buf) - 4) {
deb_info("i2c message to big: %d\n",
msg[i].len);
return -EIO;
}
/* The Actual i2c payload */ /* The Actual i2c payload */
memcpy(&st->buf[4], msg[i].buf, msg[i].len); memcpy(&st->buf[4], msg[i].buf, msg[i].len);
...@@ -283,6 +298,11 @@ static int dib0700_i2c_xfer_legacy(struct i2c_adapter *adap, ...@@ -283,6 +298,11 @@ static int dib0700_i2c_xfer_legacy(struct i2c_adapter *adap,
/* fill in the address */ /* fill in the address */
st->buf[1] = msg[i].addr << 1; st->buf[1] = msg[i].addr << 1;
/* fill the buffer */ /* fill the buffer */
if (msg[i].len > sizeof(st->buf) - 2) {
deb_info("i2c xfer to big: %d\n",
msg[i].len);
return -EIO;
}
memcpy(&st->buf[2], msg[i].buf, msg[i].len); memcpy(&st->buf[2], msg[i].buf, msg[i].len);
/* write/read request */ /* write/read request */
...@@ -299,6 +319,11 @@ static int dib0700_i2c_xfer_legacy(struct i2c_adapter *adap, ...@@ -299,6 +319,11 @@ static int dib0700_i2c_xfer_legacy(struct i2c_adapter *adap,
break; break;
} }
if (msg[i + 1].len > sizeof(st->buf)) {
deb_info("i2c xfer buffer to small for %d\n",
msg[i].len);
return -EIO;
}
memcpy(msg[i + 1].buf, st->buf, msg[i + 1].len); memcpy(msg[i + 1].buf, st->buf, msg[i + 1].len);
msg[i+1].len = len; msg[i+1].len = len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment