lan9118: fix a buffer overflow

Fix a buffer overflow, reported by cppcheck:
[/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom

All eeprom handling code assumes that the size of eeprom is 128,
except lan9118_eeprom_cmd. Fix this by restricting the address passed.

Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

diff --git a/hw/lan9118.c b/hw/lan9118.c
index a98866479be3c79217265affbd1eb1fa3ce44233..9cc7952b2a568b96c30b71322d399de569742491 100644 (file)
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -187,7 +187,7 @@ typedef struct {
     uint32_t phy_int_mask;
 
     int eeprom_writable;
-    uint8_t eeprom[8];
+    uint8_t eeprom[128];
 
     int tx_fifo_size;
     LAN9118Packet *txp;
@@ -1003,7 +1003,7 @@ static void lan9118_writel(void *opaque, target_phys_addr_t offset,
         s->afc_cfg = val & 0x00ffffff;
         break;
     case CSR_E2P_CMD:
-        lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0xff);
+        lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
         break;
     case CSR_E2P_DATA:
         s->e2p_data = val & 0xff;