[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow
From: |
Markus Armbruster |
Subject: |
Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow |
Date: |
Tue, 11 Jan 2011 10:10:28 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) |
Peter Maydell <address@hidden> writes:
> On 10 January 2011 15:50, Blue Swirl <address@hidden> wrote:
>> On Mon, Jan 10, 2011 at 12:45 PM, Markus Armbruster <address@hidden> wrote:
>>> Covers all the obvious accesses except for a couple of s->eeprom[addr]
>>> in lan9118_eeprom_cmd(). addr is a parameter there, and the actual
>>> argument is val & 0xff, in lan9118_writel(). What if val & 0xff >= 128?
>>
>> Should the size be 256 and cases with 128 changed accordingly? Or mask
>> changed to 0x7f?
>
> Size should be 128, I think. The SMSC 9118 datasheet:
> http://www.smsc.com/media/Downloads_Public/Data_Sheets/9118.pdf
> says it supports "most “93C46” type EEPROMs configured for
> 128 x 8-bit operation", and if you look at the timing diagram in
> figure 3.8 EEDIO is outputting address bits A0 to A6.
> The data sheet doesn't say what the actual effect of writing a
> bit-8-set value to E2P_CMD's address field is, but "ignore the
> high bit" seems like a good guess.
That answers the question I was about to ask: how large is the real
hardware's EEPROM. Let's mask with 0x7f.