The "eeprom_write_data" function in "smbus_eeprom.c" had no provisions to limit the length of data written. If a caller were able to manipulate the "len" parameter they could potentially write before or after the target buffer. --- hw/i2c/smbus_eeprom.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c index f18aa3de35..74fa1c328c 100644 --- a/hw/i2c/smbus_eeprom.c +++ b/hw/i2c/smbus_eeprom.c @@ -76,6 +76,7 @@ static void eeprom_write_data(SMBusDevice *dev, uint8_t cmd, uint8_t *buf, int l It is a block write without a length byte. Fortunately we get the full block anyway. */ /* TODO: Should this set the current location? */ + len &= 0xff; if (cmd + len > 256) n = 256 - cmd; else -- 2.11.0