On 26/11/18 21:04, miny...@acm.org wrote:
> From: Corey Minyard <cminy...@mvista.com>
>
> Avoid an overflow.
>
> Signed-off-by: Corey Minyard <cminy...@mvista.com>
> Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com>
Tested-by: Philippe Mathieu-Daudé <phi...@redhat.com>
> ---
> hw/i2c/smbus_slave.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/i2c/smbus_slave.c b/hw/i2c/smbus_slave.c
> index 70ff29c095..d03f714608 100644
> --- a/hw/i2c/smbus_slave.c
> +++ b/hw/i2c/smbus_slave.c
> @@ -182,7 +182,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data)
> switch (dev->mode) {
> case SMBUS_WRITE_DATA:
> DPRINTF("Write data %02x\n", data);
> - dev->data_buf[dev->data_len++] = data;
> + if (dev->data_len >= sizeof(dev->data_buf)) {
> + BADF("Too many bytes sent\n");
> + } else {
> + dev->data_buf[dev->data_len++] = data;
> + }
> break;
>
> default:
>
