diff options
author | Blue Swirl <blauwirbel@gmail.com> | 2011-01-12 21:00:01 +0000 |
---|---|---|
committer | Blue Swirl <blauwirbel@gmail.com> | 2011-01-12 21:00:01 +0000 |
commit | c46a3ea025b147d58e4c7a222307ccba1e9e376f (patch) | |
tree | 5914a3450dcc1079efb0c802d62d71f6025be862 | |
parent | f0ff243a16362b82e4dae7bd991d13ba25bb5b2f (diff) | |
download | qemu-c46a3ea025b147d58e4c7a222307ccba1e9e376f.zip qemu-c46a3ea025b147d58e4c7a222307ccba1e9e376f.tar.gz qemu-c46a3ea025b147d58e4c7a222307ccba1e9e376f.tar.bz2 |
lan9118: fix a buffer overflow
Fix a buffer overflow, reported by cppcheck:
[/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom
All eeprom handling code assumes that the size of eeprom is 128,
except lan9118_eeprom_cmd. Fix this by restricting the address passed.
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
-rw-r--r-- | hw/lan9118.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/hw/lan9118.c b/hw/lan9118.c index a988664..9cc7952 100644 --- a/hw/lan9118.c +++ b/hw/lan9118.c @@ -187,7 +187,7 @@ typedef struct { uint32_t phy_int_mask; int eeprom_writable; - uint8_t eeprom[8]; + uint8_t eeprom[128]; int tx_fifo_size; LAN9118Packet *txp; @@ -1003,7 +1003,7 @@ static void lan9118_writel(void *opaque, target_phys_addr_t offset, s->afc_cfg = val & 0x00ffffff; break; case CSR_E2P_CMD: - lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0xff); + lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f); break; case CSR_E2P_DATA: s->e2p_data = val & 0xff; |