Blue Swirl <blauwir...@gmail.com> writes: > Fix a buffer overflow, reported by cppcheck: > [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom > > All eeprom handling code assumes that the size of eeprom is 128. > > Signed-off-by: Blue Swirl <blauwir...@gmail.com> > --- > hw/lan9118.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/hw/lan9118.c b/hw/lan9118.c > index a988664..1bb829e 100644 > --- a/hw/lan9118.c > +++ b/hw/lan9118.c > @@ -187,7 +187,7 @@ typedef struct { > uint32_t phy_int_mask; > > int eeprom_writable; > - uint8_t eeprom[8]; > + uint8_t eeprom[128]; > > int tx_fifo_size; > LAN9118Packet *txp;
Covers all the obvious accesses except for a couple of s->eeprom[addr] in lan9118_eeprom_cmd(). addr is a parameter there, and the actual argument is val & 0xff, in lan9118_writel(). What if val & 0xff >= 128?