[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow
From: |
Markus Armbruster |
Subject: |
Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow |
Date: |
Mon, 10 Jan 2011 13:45:24 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) |
Blue Swirl <address@hidden> writes:
> Fix a buffer overflow, reported by cppcheck:
> [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom
>
> All eeprom handling code assumes that the size of eeprom is 128.
>
> Signed-off-by: Blue Swirl <address@hidden>
> ---
> hw/lan9118.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/hw/lan9118.c b/hw/lan9118.c
> index a988664..1bb829e 100644
> --- a/hw/lan9118.c
> +++ b/hw/lan9118.c
> @@ -187,7 +187,7 @@ typedef struct {
> uint32_t phy_int_mask;
>
> int eeprom_writable;
> - uint8_t eeprom[8];
> + uint8_t eeprom[128];
>
> int tx_fifo_size;
> LAN9118Packet *txp;
Covers all the obvious accesses except for a couple of s->eeprom[addr]
in lan9118_eeprom_cmd(). addr is a parameter there, and the actual
argument is val & 0xff, in lan9118_writel(). What if val & 0xff >= 128?