i2c: Add a length check to the SMBus write handling

Message ID	20181203125250.11195-1-minyard@acm.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org> From: minyard@acm.org To: Peter Maydell <peter.maydell@linaro.org>, qemu-devel@nongnu.org Date: Mon, 3 Dec 2018 06:52:50 -0600 Message-Id: <20181203125250.11195-1-minyard@acm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: [Qemu-devel] [PATCH] i2c: Add a length check to the SMBus write handling Precedence: list Cc: Corey Minyard <cminyard@mvista.com>, Corey Minyard <minyard@acm.org>, "Michael S . Tsirkin" <mst@redhat.com>, "Dr . David Alan Gilbert" <dgilbert@redhat.com>, QEMU Stable <qemu-stable@nongnu.org>, Paolo Bonzini <pbonzini@redhat.com>, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@redhat.com> Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Series	i2c: Add a length check to the SMBus write handling \| expand i2c: Add a length check to the SMBus write handling

Message ID

20181203125250.11195-1-minyard@acm.org (mailing list archive)

State

New, archived

Headers

From: minyard@acm.org
To: Peter Maydell <peter.maydell@linaro.org>,
	qemu-devel@nongnu.org
Date: Mon,  3 Dec 2018 06:52:50 -0600
Message-Id: <20181203125250.11195-1-minyard@acm.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: [Qemu-devel] [PATCH] i2c: Add a length check to the SMBus write
 handling
Precedence: list
Cc: Corey Minyard <cminyard@mvista.com>, Corey Minyard <minyard@acm.org>,
 "Michael S . Tsirkin" <mst@redhat.com>,
 "Dr . David Alan Gilbert" <dgilbert@redhat.com>,
 QEMU Stable <qemu-stable@nongnu.org>, Paolo Bonzini <pbonzini@redhat.com>,
	=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Series

i2c: Add a length check to the SMBus write handling | expand

Commit Message

Corey Minyard Dec. 3, 2018, 12:52 p.m. UTC

From: Corey Minyard <cminyard@mvista.com>

Avoid an overflow.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: QEMU Stable <qemu-stable@nongnu.org>
---
 hw/i2c/smbus.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Peter Maydell Dec. 3, 2018, 1:45 p.m. UTC | #1

On Mon, 3 Dec 2018 at 12:53, <minyard@acm.org> wrote:
>
> From: Corey Minyard <cminyard@mvista.com>
>
> Avoid an overflow.
>
> Signed-off-by: Corey Minyard <cminyard@mvista.com>
> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> Cc: QEMU Stable <qemu-stable@nongnu.org>

Applied to master for rc4, thanks.

-- PMM

diff --git a/hw/i2c/smbus.c b/hw/i2c/smbus.c
index 6ff77c582f..30028bfcc2 100644
--- a/hw/i2c/smbus.c
+++ b/hw/i2c/smbus.c
@@ -193,7 +193,11 @@  static int smbus_i2c_send(I2CSlave *s, uint8_t data)
     switch (dev->mode) {
     case SMBUS_WRITE_DATA:
         DPRINTF("Write data %02x\n", data);
-        dev->data_buf[dev->data_len++] = data;
+        if (dev->data_len >= sizeof(dev->data_buf)) {
+            BADF("Too many bytes sent\n");
+        } else {
+            dev->data_buf[dev->data_len++] = data;
+        }
         break;
     default:
         BADF("Unexpected write in state %d\n", dev->mode);

i2c: Add a length check to the SMBus write handling

Commit Message

Comments

Patch