diff options
author | philipchen <philipchen@google.com> | 2017-05-03 16:53:57 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-05-09 11:29:16 -0700 |
commit | bab7c0dc8812bff760c454a0b2166dfcb3591800 (patch) | |
tree | 614b8955810eda34bc021903e99d92220577e3d2 | |
parent | 8c980fc5af4283a34e10d02ba0c99fb2369ffa31 (diff) | |
download | chrome-ec-bab7c0dc8812bff760c454a0b2166dfcb3591800.tar.gz |
virtual_battery: prevent access out of bounds of memory
BUG=chromium:717737
BRANCH=none
TEST=manually run 'power_supply_info' a few times and see
consistent battery parameters
TEST=access cached smart battery registers from the host
command and see it returns 0 for out of bounds of memory
Change-Id: I87cf2900ff93a952dc88cd9c3da82321533e4eb5
Reviewed-on: https://chromium-review.googlesource.com/495628
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Commit-Queue: Philip Chen <philipchen@chromium.org>
Tested-by: Philip Chen <philipchen@chromium.org>
(cherry picked from commit 96514bb2d21dbe8b4cc6177db9e916384649e28f)
Reviewed-on: https://chromium-review.googlesource.com/499607
Commit-Ready: Philip Chen <philipchen@chromium.org>
Reviewed-by: Philip Chen <philipchen@chromium.org>
-rw-r--r-- | common/virtual_battery.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/common/virtual_battery.c b/common/virtual_battery.c index d5a9ad2124..63abe5b510 100644 --- a/common/virtual_battery.c +++ b/common/virtual_battery.c @@ -140,16 +140,18 @@ int virtual_battery_handler(struct ec_response_i2c_passthru *resp, case START: case WRITE_VB: virtual_battery_operation(batt_cmd_head, - &resp->data[in_len], + NULL, 0, acc_write_len); break; /* read from virtual battery */ case READ_VB: if (cache_hit) { + read_len += in_len; + memset(&resp->data[0], 0, read_len); virtual_battery_operation(batt_cmd_head, &resp->data[0], - in_len + read_len, + read_len, 0); } break; @@ -187,6 +189,13 @@ int virtual_battery_operation(const uint8_t *batt_cmd_head, static uint16_t batt_mode_cache; const struct batt_params *curr_batt; + /* + * All of the smart battery reg indexes supported by this virtual + * battery implementation are two bytes long. So we should limit + * the range of memory access accordingly. + */ + if (read_len > 2) + read_len = 2; curr_batt = charger_current_battery_params(); switch (*batt_cmd_head) { case SB_BATTERY_MODE: |