qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow

From: Markus Armbruster
Subject: Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow
Date: Mon, 10 Jan 2011 13:45:24 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) 
Blue Swirl <address@hidden> writes:

> Fix a buffer overflow, reported by cppcheck:
> [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom
>
> All eeprom handling code assumes that the size of eeprom is 128.
>
> Signed-off-by: Blue Swirl <address@hidden>
> ---
>  hw/lan9118.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/hw/lan9118.c b/hw/lan9118.c
> index a988664..1bb829e 100644
> --- a/hw/lan9118.c
> +++ b/hw/lan9118.c
> @@ -187,7 +187,7 @@ typedef struct {
>      uint32_t phy_int_mask;
>
>      int eeprom_writable;
> -    uint8_t eeprom[8];
> +    uint8_t eeprom[128];
>
>      int tx_fifo_size;
>      LAN9118Packet *txp;

Covers all the obvious accesses except for a couple of s->eeprom[addr]
in lan9118_eeprom_cmd().  addr is a parameter there, and the actual
argument is val & 0xff, in lan9118_writel().  What if val & 0xff >= 128?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]