github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-28 09:04:39 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

hwmon: (tps53679) Fix array access with zero-length block read

Browse Source 
i2c_smbus_read_block_data() can return 0, indicating a zero-length
read. When this happens, tps53679_identify_chip() accesses buf[ret - 1]
which is buf[-1], reading one byte before the buffer on the stack.

Fix by changing the check from "ret < 0" to "ret <= 0", treating a
zero-length read as an error (-EIO), which prevents the out-of-bounds
array access.

Also fix a typo in the adjacent comment: "if present" instead of
duplicate "if".

Fixes: 75ca1e5875 ("hwmon: (pmbus/tps53679) Add support for TPS53685")
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260329170925.34581-2-sanman.pradhan@hpe.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
This commit is contained in:
Sanman Pradhan 2026-03-29 17:09:40 +00:00 committed by Guenter Roeck
parent 7aaa8047ea
commit 0e211f6aaa
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/hwmon/pmbus/tps53679.c
View File

@ -103,10 +103,10 @@ static int tps53679_identify_chip(struct i2c_client *client,
}
ret = i2c_smbus_read_block_data(client, PMBUS_IC_DEVICE_ID, buf);
if (ret < 0)
return ret;
if (ret <= 0)
return ret < 0 ? ret : -EIO;
/* Adjust length if null terminator if present */
/* Adjust length if null terminator is present */
buf_len = (buf[ret - 1] != '\x00' ? ret : ret - 1);
id_len = strlen(id);