[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow
From: |
Blue Swirl |
Subject: |
Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow |
Date: |
Mon, 10 Jan 2011 21:50:16 +0000 |
On Mon, Jan 10, 2011 at 12:45 PM, Markus Armbruster <address@hidden> wrote:
> Blue Swirl <address@hidden> writes:
>
>> Fix a buffer overflow, reported by cppcheck:
>> [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom
>>
>> All eeprom handling code assumes that the size of eeprom is 128.
>>
>> Signed-off-by: Blue Swirl <address@hidden>
>> ---
>> hw/lan9118.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/hw/lan9118.c b/hw/lan9118.c
>> index a988664..1bb829e 100644
>> --- a/hw/lan9118.c
>> +++ b/hw/lan9118.c
>> @@ -187,7 +187,7 @@ typedef struct {
>> uint32_t phy_int_mask;
>>
>> int eeprom_writable;
>> - uint8_t eeprom[8];
>> + uint8_t eeprom[128];
>>
>> int tx_fifo_size;
>> LAN9118Packet *txp;
>
> Covers all the obvious accesses except for a couple of s->eeprom[addr]
> in lan9118_eeprom_cmd(). addr is a parameter there, and the actual
> argument is val & 0xff, in lan9118_writel(). What if val & 0xff >= 128?
Should the size be 256 and cases with 128 changed accordingly? Or mask
changed to 0x7f?