[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] smbus_eeprom: Limit data writes to 255 bytes
|
From: |
Michael Hanselmann |
|
Subject: |
[Qemu-devel] [PATCH] smbus_eeprom: Limit data writes to 255 bytes |
|
Date: |
Thu, 27 Dec 2018 11:51:55 +0000 |
The "eeprom_write_data" function in "smbus_eeprom.c" had no provisions
to limit the length of data written. If a caller were able to manipulate
the "len" parameter they could potentially write before or after the
target buffer.
---
hw/i2c/smbus_eeprom.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
index f18aa3de35..74fa1c328c 100644
--- a/hw/i2c/smbus_eeprom.c
+++ b/hw/i2c/smbus_eeprom.c
@@ -76,6 +76,7 @@ static void eeprom_write_data(SMBusDevice *dev, uint8_t cmd,
uint8_t *buf, int l
It is a block write without a length byte. Fortunately we
get the full block anyway. */
/* TODO: Should this set the current location? */
+ len &= 0xff;
if (cmd + len > 256)
n = 256 - cmd;
else
--
2.11.0
- [Qemu-devel] [PATCH] smbus_eeprom: Limit data writes to 255 bytes,
Michael Hanselmann <=