aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBlue Swirl <blauwirbel@gmail.com>2011-01-12 21:00:01 +0000
committerBlue Swirl <blauwirbel@gmail.com>2011-01-12 21:00:01 +0000
commitc46a3ea025b147d58e4c7a222307ccba1e9e376f (patch)
tree5914a3450dcc1079efb0c802d62d71f6025be862
parentf0ff243a16362b82e4dae7bd991d13ba25bb5b2f (diff)
downloadqemu-c46a3ea025b147d58e4c7a222307ccba1e9e376f.zip
qemu-c46a3ea025b147d58e4c7a222307ccba1e9e376f.tar.gz
qemu-c46a3ea025b147d58e4c7a222307ccba1e9e376f.tar.bz2
lan9118: fix a buffer overflow
Fix a buffer overflow, reported by cppcheck: [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom All eeprom handling code assumes that the size of eeprom is 128, except lan9118_eeprom_cmd. Fix this by restricting the address passed. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
-rw-r--r--hw/lan9118.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/hw/lan9118.c b/hw/lan9118.c
index a988664..9cc7952 100644
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -187,7 +187,7 @@ typedef struct {
uint32_t phy_int_mask;
int eeprom_writable;
- uint8_t eeprom[8];
+ uint8_t eeprom[128];
int tx_fifo_size;
LAN9118Packet *txp;
@@ -1003,7 +1003,7 @@ static void lan9118_writel(void *opaque, target_phys_addr_t offset,
s->afc_cfg = val & 0x00ffffff;
break;
case CSR_E2P_CMD:
- lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0xff);
+ lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
break;
case CSR_E2P_DATA:
s->e2p_data = val & 0xff;