Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 29 May 2016 07:14:52 +0000 (UTC)
From:      "Jason A. Harmening" <jah@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r300948 - stable/10/sys/dev/iicbus
Message-ID:  <201605290714.u4T7Eq8L024078@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jah
Date: Sun May 29 07:14:51 2016
New Revision: 300948
URL: https://svnweb.freebsd.org/changeset/base/300948

Log:
  MFC r300258:
  
  iic_rdwr_data->nmsgs is uint32_t, so limit the allowable number of messages to
  prevent memory exhaustion and short allocations on 32-bit systems. Since
  iicrdwr is intended to be a workalike of a Linux i2c-dev call, use the same
  limit of 42 that Linux uses.
  
  Also check the return value of copyin(9) to prevent unnecessary allocation in
  the failure case.

Modified:
  stable/10/sys/dev/iicbus/iic.c
  stable/10/sys/dev/iicbus/iic.h
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/iicbus/iic.c
==============================================================================
--- stable/10/sys/dev/iicbus/iic.c	Sun May 29 07:01:12 2016	(r300947)
+++ stable/10/sys/dev/iicbus/iic.c	Sun May 29 07:14:51 2016	(r300948)
@@ -299,9 +299,16 @@ iicrdwr(struct iic_cdevpriv *priv, struc
 	parent = device_get_parent(iicdev);
 	error = 0;
 
+	if (d->nmsgs > IIC_RDRW_MAX_MSGS)
+		return (EINVAL);
+
 	buf = malloc(sizeof(*d->msgs) * d->nmsgs, M_IIC, M_WAITOK);
 
 	error = copyin(d->msgs, buf, sizeof(*d->msgs) * d->nmsgs);
+	if (error != 0) {
+		free(buf, M_IIC);
+		return (error);
+	}
 
 	/* Alloc kernel buffers for userland data, copyin write data */
 	usrbufs = malloc(sizeof(void *) * d->nmsgs, M_IIC, M_WAITOK | M_ZERO);
@@ -317,6 +324,8 @@ iicrdwr(struct iic_cdevpriv *priv, struc
 		m->buf = NULL;
 		if (error != 0)
 			continue;
+
+		/* m->len is uint16_t, so allocation size is capped at 64K. */
 		m->buf = malloc(m->len, M_IIC, M_WAITOK);
 		if (!(m->flags & IIC_M_RD))
 			error = copyin(usrbufs[i], m->buf, m->len);

Modified: stable/10/sys/dev/iicbus/iic.h
==============================================================================
--- stable/10/sys/dev/iicbus/iic.h	Sun May 29 07:01:12 2016	(r300947)
+++ stable/10/sys/dev/iicbus/iic.h	Sun May 29 07:14:51 2016	(r300948)
@@ -56,6 +56,8 @@ struct iic_rdwr_data {
 	uint32_t nmsgs;
 };
 
+#define IIC_RDRW_MAX_MSGS	42
+
 #define I2CSTART	_IOW('i', 1, struct iiccmd)	/* start condition */
 #define I2CSTOP		_IO('i', 2)			/* stop condition */
 #define I2CRSTCARD	_IOW('i', 3, struct iiccmd)	/* reset the card */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605290714.u4T7Eq8L024078>