virtual_battery: prevent access out of bounds of memory

BUG=chromium:717737
BRANCH=none
TEST=manually run 'power_supply_info' a few times and see
consistent battery parameters
TEST=access cached smart battery registers from the host
command and see it returns 0 for out of bounds of memory

Change-Id: I87cf2900ff93a952dc88cd9c3da82321533e4eb5
Reviewed-on: https://chromium-review.googlesource.com/495628
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Commit-Queue: Philip Chen <philipchen@chromium.org>
Tested-by: Philip Chen <philipchen@chromium.org>

1 files changed, 11 insertions, 2 deletions

diff --git a/common/virtual_battery.c b/common/virtual_battery.c
index 4bc87c04db..7f57b6d41d 100644
--- a/common/virtual_battery.c
+++ b/common/virtual_battery.c
@@ -142,16 +142,18 @@ int virtual_battery_handler(struct ec_response_i2c_passthru *resp,
 		case START:
 		case WRITE_VB:
 			virtual_battery_operation(batt_cmd_head,
-						&resp->data[in_len],
+						NULL,
 						0,
 						acc_write_len);
 			break;
 		/* read from virtual battery */
 		case READ_VB:
 			if (cache_hit) {
+				read_len += in_len;
+				memset(&resp->data[0], 0, read_len);
 				virtual_battery_operation(batt_cmd_head,
 							&resp->data[0],
-							in_len + read_len,
+							read_len,
 							0);
 			}
 			break;
@@ -189,6 +191,13 @@ int virtual_battery_operation(const uint8_t *batt_cmd_head,
 	static uint16_t batt_mode_cache;
 	const struct batt_params *curr_batt;
 
+	/*
+	 * All of the smart battery reg indexes supported by this virtual
+	 * battery implementation are two bytes long. So we should limit
+	 * the range of memory access accordingly.
+	 */
+	if (read_len > 2)
+		read_len = 2;
 	curr_batt = charger_current_battery_params();
 	switch (*batt_cmd_head) {
 	case SB_BATTERY_MODE: