From: Corey Minyard <cminyard@mvista.com>
Date: Mon, 3 Dec 2018 12:52:50 +0000 (-0600)
Subject: i2c: Add a length check to the SMBus write handling
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=629457a13080052c575779e1fd9f5eb5ee6b8ad9;p=qemu.git

i2c: Add a length check to the SMBus write handling

Avoid an overflow.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: QEMU Stable <qemu-stable@nongnu.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---

diff --git a/hw/i2c/smbus.c b/hw/i2c/smbus.c
index 6ff77c582f..30028bfcc2 100644
--- a/hw/i2c/smbus.c
+++ b/hw/i2c/smbus.c
@@ -193,7 +193,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data)
     switch (dev->mode) {
     case SMBUS_WRITE_DATA:
         DPRINTF("Write data %02x\n", data);
-        dev->data_buf[dev->data_len++] = data;
+        if (dev->data_len >= sizeof(dev->data_buf)) {
+            BADF("Too many bytes sent\n");
+        } else {
+            dev->data_buf[dev->data_len++] = data;
+        }
         break;
     default:
         BADF("Unexpected write in state %d\n", dev->mode);