Re: [Qemu-devel] [PATCH v2 04/12] i2c: Add a length check to the SMBus write handling

Peter Maydell Tue, 20 Nov 2018 07:34:13 -0800

On 15 November 2018 at 19:24,  <miny...@acm.org> wrote:
> From: Corey Minyard <cminy...@mvista.com>
>
> Avoid an overflow.
>
> Signed-off-by: Corey Minyard <cminy...@mvista.com>
> ---
>  hw/i2c/smbus_slave.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/i2c/smbus_slave.c b/hw/i2c/smbus_slave.c
> index 83ca041b5d..fa988919d8 100644
> --- a/hw/i2c/smbus_slave.c
> +++ b/hw/i2c/smbus_slave.c
> @@ -182,7 +182,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data)
>      switch (dev->mode) {
>      case SMBUS_WRITE_DATA:
>          DPRINTF("Write data %02x\n", data);
> -        dev->data_buf[dev->data_len++] = data;
> +        if (dev->data_len >= sizeof(dev->data_buf)) {
> +            BADF("Too many bytes sent\n");
> +        } else {
> +            dev->data_buf[dev->data_len++] = data;
> +        }
>          break;


Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>

What happens on a real device in this situation ?

thanks
-- PMM

Re: [Qemu-devel] [PATCH v2 04/12] i2c: Add a length check to the SMBus write handling

Reply via email to