From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=55778 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PcH81-00057B-9T for qemu-devel@nongnu.org; Mon, 10 Jan 2011 07:45:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PcH7z-0006Qq-6w for qemu-devel@nongnu.org; Mon, 10 Jan 2011 07:45:41 -0500 Received: from mx1.redhat.com ([209.132.183.28]:30921) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PcH7z-0006QO-0B for qemu-devel@nongnu.org; Mon, 10 Jan 2011 07:45:39 -0500 From: Markus Armbruster Subject: Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow References: Date: Mon, 10 Jan 2011 13:45:24 +0100 In-Reply-To: (Blue Swirl's message of "Sat, 8 Jan 2011 18:25:21 +0000") Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Blue Swirl Cc: qemu-devel Blue Swirl writes: > Fix a buffer overflow, reported by cppcheck: > [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom > > All eeprom handling code assumes that the size of eeprom is 128. > > Signed-off-by: Blue Swirl > --- > hw/lan9118.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/hw/lan9118.c b/hw/lan9118.c > index a988664..1bb829e 100644 > --- a/hw/lan9118.c > +++ b/hw/lan9118.c > @@ -187,7 +187,7 @@ typedef struct { > uint32_t phy_int_mask; > > int eeprom_writable; > - uint8_t eeprom[8]; > + uint8_t eeprom[128]; > > int tx_fifo_size; > LAN9118Packet *txp; Covers all the obvious accesses except for a couple of s->eeprom[addr] in lan9118_eeprom_cmd(). addr is a parameter there, and the actual argument is val & 0xff, in lan9118_writel(). What if val & 0xff >= 128?