Commit 629457a1 authored Dec 03, 2018 by Corey Minyard Committed by Peter Maydell Dec 03, 2018

i2c: Add a length check to the SMBus write handling



Avoid an overflow.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: QEMU Stable <qemu-stable@nongnu.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

parent 4750e1a8

hw/i2c/smbus.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -193,7 +193,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data)
		switch (dev->mode) {
		case SMBUS_WRITE_DATA:
		DPRINTF("Write data %02x\n", data);
		if (dev->data_len >= sizeof(dev->data_buf)) {
		BADF("Too many bytes sent\n");
		} else {
		dev->data_buf[dev->data_len++] = data;
		}
		break;
		default:
		BADF("Unexpected write in state %d\n", dev->mode);