From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56161) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gNNGF-0003Ro-Ff for qemu-devel@nongnu.org; Thu, 15 Nov 2018 14:25:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gNNG4-0007zi-18 for qemu-devel@nongnu.org; Thu, 15 Nov 2018 14:25:07 -0500 Received: from mail-ot1-x341.google.com ([2607:f8b0:4864:20::341]:33275) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gNNG3-0007zP-Ou for qemu-devel@nongnu.org; Thu, 15 Nov 2018 14:24:55 -0500 Received: by mail-ot1-x341.google.com with SMTP id i20so12635634otl.0 for ; Thu, 15 Nov 2018 11:24:55 -0800 (PST) Sender: Corey Minyard From: minyard@acm.org Date: Thu, 15 Nov 2018 13:24:38 -0600 Message-Id: <20181115192446.17187-5-minyard@acm.org> In-Reply-To: <20181115192446.17187-1-minyard@acm.org> References: <20181115192446.17187-1-minyard@acm.org> Subject: [Qemu-devel] [PATCH v2 04/12] i2c: Add a length check to the SMBus write handling List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Paolo Bonzini , "Michael S . Tsirkin" , "Dr . David Alan Gilbert" , minyard@acm.org, Corey Minyard From: Corey Minyard Avoid an overflow. Signed-off-by: Corey Minyard --- hw/i2c/smbus_slave.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hw/i2c/smbus_slave.c b/hw/i2c/smbus_slave.c index 83ca041b5d..fa988919d8 100644 --- a/hw/i2c/smbus_slave.c +++ b/hw/i2c/smbus_slave.c @@ -182,7 +182,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data) switch (dev->mode) { case SMBUS_WRITE_DATA: DPRINTF("Write data %02x\n", data); - dev->data_buf[dev->data_len++] = data; + if (dev->data_len >= sizeof(dev->data_buf)) { + BADF("Too many bytes sent\n"); + } else { + dev->data_buf[dev->data_len++] = data; + } break; default: -- 2.17.1