diff options
| author | Robert Zieba <robertzieba@google.com> | 2022-04-26 11:47:18 -0600 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-05-05 17:19:57 +0000 |
| commit | 4e7c8e207360782c1d0b6363f81f67d8808d18c4 (patch) | |
| tree | 439254710e3e2ed05cddabac5f8b11d0af3fcdda | |
| parent | ab0976af3371547511fa37c9e769faa509eddd1c (diff) | |
| download | chrome-ec-4e7c8e207360782c1d0b6363f81f67d8808d18c4.tar.gz | |
i2c_controller: Fix buffer overrun in `i2c_read_sized_block`
When passed a length of zero, the current behavior of
`i2c_read_sized_block` is to read up to 255 bytes from the i2c bus. This
commit changes that behavior so that passing a length of zero is an
error. `i2c_read_sized_block` is only used by the smart battery driver,
either directly or indirectly through `i2c_read_string`. I've checked
that there do not appear to be any places that currently rely on this
behavior.
BUG=b:228589840
TEST=Verified that battery strings are still read correctly, smart
battery mfg access still works
BRANCH=guybrush
Signed-off-by: Robert Zieba <robertzieba@google.com>
Change-Id: Ic025cd3cc805e6bd935b26100171a13e90b478a0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3605885
Reviewed-by: Diana Z <dzigterman@chromium.org>
| -rw-r--r-- | common/i2c_controller.c | 4 | ||||
| -rw-r--r-- | include/i2c.h | 2 |
2 files changed, 2 insertions, 4 deletions
diff --git a/common/i2c_controller.c b/common/i2c_controller.c index f29b40b251..d4ba03fd07 100644 --- a/common/i2c_controller.c +++ b/common/i2c_controller.c @@ -782,7 +782,7 @@ int i2c_read_sized_block(const int port, i2c_lock(port, 1); for (i = 0; i <= CONFIG_I2C_NACK_RETRY_COUNT; i++) { - int data_length; + int data_length = 0; /* * Send device reg space offset, and read back block length. @@ -794,7 +794,7 @@ int i2c_read_sized_block(const int port, if (rv) continue; - if (max_len && block_length > max_len) + if (block_length > max_len) data_length = max_len; else data_length = block_length; diff --git a/include/i2c.h b/include/i2c.h index 3ae1f60d97..c799b9599d 100644 --- a/include/i2c.h +++ b/include/i2c.h @@ -447,7 +447,6 @@ int i2c_unwedge(int port); * [length_N] [byte_0] [byte_1] ... [byte_N] * * <len> : the max length of receiving buffer - * <len> == 0 : buffer size > 255 */ int i2c_read_sized_block(const int port, const uint16_t addr_flags, @@ -462,7 +461,6 @@ int i2c_read_sized_block(const int port, * ascii, len should be at least N+1 to include the * terminating 0. Similar to strlcpy, the terminating null is * always written into the output buffer. - * <len> == 0 : buffer size > 255 */ int i2c_read_string(const int port, const uint16_t addr_flags, |