From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34998) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boTgZ-0008Ar-0I for qemu-devel@nongnu.org; Mon, 26 Sep 2016 07:03:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1boTgU-0005am-Ot for qemu-devel@nongnu.org; Mon, 26 Sep 2016 07:02:59 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:33093) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boTgU-0005ag-Hc for qemu-devel@nongnu.org; Mon, 26 Sep 2016 07:02:54 -0400 Received: by mail-wm0-f67.google.com with SMTP id w84so13507416wmg.0 for ; Mon, 26 Sep 2016 04:02:54 -0700 (PDT) Sender: Paolo Bonzini References: <1474564935-23831-1-git-send-email-peter.maydell@linaro.org> <1474564935-23831-24-git-send-email-peter.maydell@linaro.org> From: Paolo Bonzini Message-ID: <466f3766-e422-e316-1607-2f86da4f954a@redhat.com> Date: Mon, 26 Sep 2016 13:01:52 +0200 MIME-Version: 1.0 In-Reply-To: <1474564935-23831-24-git-send-email-peter.maydell@linaro.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PULL 23/36] cadence_gem: Add queue support List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Maydell , qemu-devel@nongnu.org On 22/09/2016 19:22, Peter Maydell wrote: > + case GEM_RECEIVE_Q1_PTR ... GEM_RECEIVE_Q15_PTR: > + s->rx_desc_addr[offset - GEM_RECEIVE_Q1_PTR + 1] = val; > + break; MAX_PRIORITY_QUEUES is still 8, so this can cause an out-of-bounds write in s->rx_desc_addr (and likewise for s->tx_addr). Paolo