| Message ID | 20181126200435.23408-7-minyard@acm.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix/add vmstate handling in some I2C code | expand |
On 26/11/18 21:04, minyard@acm.org wrote: > From: Corey Minyard <cminyard@mvista.com> > > Avoid an overflow. > > Signed-off-by: Corey Minyard <cminyard@mvista.com> > Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> > --- > hw/i2c/smbus_slave.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/hw/i2c/smbus_slave.c b/hw/i2c/smbus_slave.c > index 70ff29c095..d03f714608 100644 > --- a/hw/i2c/smbus_slave.c > +++ b/hw/i2c/smbus_slave.c > @@ -182,7 +182,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data) > switch (dev->mode) { > case SMBUS_WRITE_DATA: > DPRINTF("Write data %02x\n", data); > - dev->data_buf[dev->data_len++] = data; > + if (dev->data_len >= sizeof(dev->data_buf)) { > + BADF("Too many bytes sent\n"); > + } else { > + dev->data_buf[dev->data_len++] = data; > + } > break; > > default: >
diff --git a/hw/i2c/smbus_slave.c b/hw/i2c/smbus_slave.c index 70ff29c095..d03f714608 100644 --- a/hw/i2c/smbus_slave.c +++ b/hw/i2c/smbus_slave.c @@ -182,7 +182,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data) switch (dev->mode) { case SMBUS_WRITE_DATA: DPRINTF("Write data %02x\n", data); - dev->data_buf[dev->data_len++] = data; + if (dev->data_len >= sizeof(dev->data_buf)) { + BADF("Too many bytes sent\n"); + } else { + dev->data_buf[dev->data_len++] = data; + } break; default: