From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53714) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gRN81-0001lL-Dw for qemu-devel@nongnu.org; Mon, 26 Nov 2018 15:05:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gRN7y-0001Kw-Ef for qemu-devel@nongnu.org; Mon, 26 Nov 2018 15:05:09 -0500 Received: from mail-oi1-x241.google.com ([2607:f8b0:4864:20::241]:47029) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gRN7x-0001Gq-RB for qemu-devel@nongnu.org; Mon, 26 Nov 2018 15:05:06 -0500 Received: by mail-oi1-x241.google.com with SMTP id x202so17049993oif.13 for ; Mon, 26 Nov 2018 12:04:54 -0800 (PST) Sender: Corey Minyard From: minyard@acm.org Date: Mon, 26 Nov 2018 14:04:25 -0600 Message-Id: <20181126200435.23408-7-minyard@acm.org> In-Reply-To: <20181126200435.23408-1-minyard@acm.org> References: <20181126200435.23408-1-minyard@acm.org> Subject: [Qemu-devel] [PATCH v3 06/16] i2c: Add a length check to the SMBus write handling List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, "Dr . David Alan Gilbert" , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Peter Maydell Cc: Paolo Bonzini , "Michael S . Tsirkin" , Corey Minyard , Corey Minyard From: Corey Minyard Avoid an overflow. Signed-off-by: Corey Minyard Reviewed-by: Peter Maydell --- hw/i2c/smbus_slave.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hw/i2c/smbus_slave.c b/hw/i2c/smbus_slave.c index 70ff29c095..d03f714608 100644 --- a/hw/i2c/smbus_slave.c +++ b/hw/i2c/smbus_slave.c @@ -182,7 +182,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data) switch (dev->mode) { case SMBUS_WRITE_DATA: DPRINTF("Write data %02x\n", data); - dev->data_buf[dev->data_len++] = data; + if (dev->data_len >= sizeof(dev->data_buf)) { + BADF("Too many bytes sent\n"); + } else { + dev->data_buf[dev->data_len++] = data; + } break; default: -- 2.17.1