On 27/12/18 12:51, Michael Hanselmann wrote: > The "eeprom_write_data" function in "smbus_eeprom.c" had no provisions > to limit the length of data written. If a caller were able to manipulate > the "len" parameter they could potentially write before or after the > target buffer. > --- > hw/i2c/smbus_eeprom.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c > index f18aa3de35..74fa1c328c 100644 > --- a/hw/i2c/smbus_eeprom.c > +++ b/hw/i2c/smbus_eeprom.c > @@ -76,6 +76,7 @@ static void eeprom_write_data(SMBusDevice *dev, uint8_t > cmd, uint8_t *buf, int l > It is a block write without a length byte. Fortunately we > get the full block anyway. */ > /* TODO: Should this set the current location? */ > + len &= 0xff; > if (cmd + len > 256) > n = 256 - cmd; > else >
Note that len is limited to 33 bytes (smbus_do_write and smbus_i2c_send). Paolo
