heap-buffer-overflow in smc91c111_do_tx() Description of problem: A buffer-overflow bug was triggered by my fuzzer at smc91c111_do_tx(). I've patched hw/net/smc91c111.c with: ``` diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c index 702d0e8e83..286298bf06 100644 --- a/hw/net/smc91c111.c +++ b/hw/net/smc91c111.c @@ -429,7 +429,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,              /* Ignore.  */              return;          case 2: /* Packet Number Register */ -            s->packet_num = value; +            s->packet_num = value & (NUM_PACKETS - 1);              return;          case 3: case 4: case 5:              /* Should be readonly, but linux writes to them anyway. Ignore.  */ ``` The error is: ``` ==2724739==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000022941 at pc 0x595ebbed687b bp 0x7fffa0098a50 sp 0x7fffa0098a48 READ of size 1 at 0x629000022941 thread T0 #0 0x595ebbed687a in smc91c111_do_tx hw/net/smc91c111.c:240:19 #1 0x595ebbed687a in smc91c111_queue_tx hw/net/smc91c111.c:284:5 #2 0x595ebbed687a in smc91c111_writeb hw/net/smc91c111.c:419:17 #3 0x595ebbed687a in smc91c111_writefn hw/net/smc91c111.c:666:9 #4 0x595ebd174d33 in memory_region_write_accessor system/memory.c:497:5 #5 0x595ebd1744aa in access_with_adjusted_size system/memory.c:573:18 #6 0x595ebd1738d8 in memory_region_dispatch_write system/memory.c #7 0x595ebd1cc984 in flatview_write_continue_step system/physmem.c:2786:18 #8 0x595ebd1b9880 in flatview_write_continue system/physmem.c:2816:19 #9 0x595ebd1b9880 in flatview_write system/physmem.c:2847:12 #10 0x595ebd1b9517 in address_space_write system/physmem.c:2967:18 #11 0x595ebc77d5c3 in qtest_process_command system/qtest.c:522:13 #12 0x595ebc77b83b in qtest_process_inbuf system/qtest.c:776:9 ... ``` Steps to reproduce: ``` export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine realview-eb" cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio clock_step clock_step writel 0x4e000000 0x2b1e08f5 writew 0x4e000000 0x2b1e08f5 writel 0x4e00000c 0x66027d24 clock_step readb 0x4e000000 writel 0x4e000008 0x238e1f29 writew 0x4e000000 0x41d9fe3b writel 0x4e00000c 0x27022a2d clock_step readw 0x4e000004 clock_step readb 0x4e000008 clock_step writew 0x4e000000 0x620c5fdf EOF ``` Additional information: