lan9118: fix a buffer overflow

Fix a buffer overflow, reported by cppcheck: [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom All eeprom handling code assumes that the size of eeprom is 128, except lan9118_eeprom_cmd. Fix this by restricting the address passed. Signed-off-by: N Blue Swirl <blauwirbel@gmail.com>

lan9118: fix a buffer overflow
Fix a buffer overflow, reported by cppcheck: [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom All eeprom handling code assumes that the size of eeprom is 128, except lan9118_eeprom_cmd. Fix this by restricting the address passed. Signed-off-by: N Blue Swirl <blauwirbel@gmail.com>
c46a3ea0 · Blue Swirl · f0ff243a · c46a3ea0
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

hw/lan9118.c hw/lan9118.c +2 -2

未找到文件。
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -187,7 +187,7 @@ typedef struct {
    uint32_t phy_int_mask;

    int eeprom_writable;
-    uint8_t eeprom[8];
+    uint8_t eeprom[128];

    int tx_fifo_size;
    LAN9118Packet *txp;
@@ -1003,7 +1003,7 @@ static void lan9118_writel(void *opaque, target_phys_addr_t offset,
        s->afc_cfg = val & 0x00ffffff;
        break;
    case CSR_E2P_CMD:
-        lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0xff);
+        lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
        break;
    case CSR_E2P_DATA:
        s->e2p_data = val & 0xff;