[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] [PATCH 6/7] lan9118: fix a buffer overflow |
|
Date: |
Mon, 10 Jan 2011 16:14:25 -0600 |
On 10 January 2011 15:50, Blue Swirl <address@hidden> wrote:
> On Mon, Jan 10, 2011 at 12:45 PM, Markus Armbruster <address@hidden> wrote:
>> Covers all the obvious accesses except for a couple of s->eeprom[addr]
>> in lan9118_eeprom_cmd(). addr is a parameter there, and the actual
>> argument is val & 0xff, in lan9118_writel(). What if val & 0xff >= 128?
>
> Should the size be 256 and cases with 128 changed accordingly? Or mask
> changed to 0x7f?
Size should be 128, I think. The SMSC 9118 datasheet:
http://www.smsc.com/media/Downloads_Public/Data_Sheets/9118.pdf
says it supports "most “93C46” type EEPROMs configured for
128 x 8-bit operation", and if you look at the timing diagram in
figure 3.8 EEDIO is outputting address bits A0 to A6.
The data sheet doesn't say what the actual effect of writing a
bit-8-set value to E2P_CMD's address field is, but "ignore the
high bit" seems like a good guess.
-- PMM