V4L/DVB (11832): dibusb_mc: fix i2c to not corrupt eeprom in case of strange read...

dibusb_i2c_xfer seems to do things very dangerous :
it assumes that it get only write/read request or write request.

That means that read can be understood as write. For example a program
doing
file = open("/dev/i2c-x", O_RDWR);
    ioctl(file, I2C_SLAVE, 0x50)
read(file, data, 10)
    will corrupt the eeprom as it will be understood as a write.

Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>
Signed-off-by: Patrick Boettcher <pb@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

diff --git a/drivers/media/dvb/dvb-usb/dibusb-common.c b/drivers/media/dvb/dvb-usb/dibusb-common.c
index 8ee6cd4da9e7c1053099792ef5ec0700bbd29ccf..8dbad1ec53c404782d16c33e8929976a3ad8e386 100644 (file)
--- a/drivers/media/dvb/dvb-usb/dibusb-common.c
+++ b/drivers/media/dvb/dvb-usb/dibusb-common.c
@@ -133,14 +133,17 @@ static int dibusb_i2c_xfer(struct i2c_adapter *adap,struct i2c_msg msg[],int num
 
        for (i = 0; i < num; i++) {
                /* write/read request */
-               if (i+1 < num && (msg[i+1].flags & I2C_M_RD)) {
+               if (i+1 < num && (msg[i].flags & I2C_M_RD) == 0
+                                         && (msg[i+1].flags & I2C_M_RD)) {
                        if (dibusb_i2c_msg(d, msg[i].addr, msg[i].buf,msg[i].len,
                                                msg[i+1].buf,msg[i+1].len) < 0)
                                break;
                        i++;
-               } else
+               } else if ((msg[i].flags & I2C_M_RD) == 0) {
                        if (dibusb_i2c_msg(d, msg[i].addr, msg[i].buf,msg[i].len,NULL,0) < 0)
                                break;
+               } else
+                       break;
        }
 
        mutex_unlock(&d->i2c_mutex);