On 22/09/2016 19:22, Peter Maydell wrote: > + case GEM_RECEIVE_Q1_PTR ... GEM_RECEIVE_Q15_PTR: > + s->rx_desc_addr[offset - GEM_RECEIVE_Q1_PTR + 1] = val; > + break;
MAX_PRIORITY_QUEUES is still 8, so this can cause an out-of-bounds write in s->rx_desc_addr (and likewise for s->tx_addr). Paolo
