From: Corey Minyard <cminy...@mvista.com>
Avoid an overflow.
Signed-off-by: Corey Minyard <cminy...@mvista.com>
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com>
Tested-by: Philippe Mathieu-Daudé <phi...@redhat.com>
Cc: QEMU Stable <qemu-sta...@nongnu.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 629457a13080052c575779e1fd9f5eb5ee6b8ad9)
Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
---
hw/i2c/smbus.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/i2c/smbus.c b/hw/i2c/smbus.c
index 587ce1ab7f..639ff90b65 100644
--- a/hw/i2c/smbus.c
+++ b/hw/i2c/smbus.c
@@ -193,7 +193,11 @@ static int smbus_i2c_send(I2CSlave *s, uint8_t data)
switch (dev->mode) {
case SMBUS_WRITE_DATA:
DPRINTF("Write data %02x\n", data);
- dev->data_buf[dev->data_len++] = data;
+ if (dev->data_len >= sizeof(dev->data_buf)) {
+ BADF("Too many bytes sent\n");
+ } else {
+ dev->data_buf[dev->data_len++] = data;
+ }
break;
default:
BADF("Unexpected write in state %d\n", dev->mode);
--
2.17.1
