From 235a39714cc16e336c96bb314be2ee95fe30d9f2 Mon Sep 17 00:00:00 2001
From: Mark Pizzolato <mark@infocomm.com>
Date: Sat, 11 Mar 2017 16:00:00 -0800
Subject: [PATCH] PDP11, VAX: XQ device fixes (COVERITY)

- Fix potential beyond array bounds memory references
- Fix MOP protocol packet parsing
---
 PDP11/pdp11_xq.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/PDP11/pdp11_xq.c b/PDP11/pdp11_xq.c
index 8fc50f4d..b09ff2fc 100644
--- a/PDP11/pdp11_xq.c
+++ b/PDP11/pdp11_xq.c
@@ -632,7 +632,7 @@ t_stat xq_ex (t_value* vptr, t_addr addr, UNIT* uptr, int32 sw)
     else
       if (xq->var->type == XQ_T_DELQA_PLUS)
         bootrom = xq_bootrom_delqat;
-  if (addr <= sizeof(xq_bootrom_delqa)/2)
+  if ((bootrom) && (addr < sizeof(xq_bootrom_delqa)/2))
     *vptr = bootrom[addr];
   else
     *vptr = 0;
@@ -1348,7 +1348,7 @@ t_stat xq_process_mop(CTLR* xq)
     } /* switch */
 
     /* process next meb */
-    meb += sizeof(struct xq_meb);
+    meb += 1;
 
   } /* while */
   return SCPE_OK;
@@ -1975,9 +1975,13 @@ t_stat xq_process_loopback(CTLR* xq, ETH_PACK* pack)
   ETH_MAC   *physical_address;
   t_stat    status;
   int offset   = 16 + (pack->msg[14] | (pack->msg[15] << 8));
-  int function = pack->msg[offset] | (pack->msg[offset+1] << 8);
+  int function;
 
-  sim_debug(DBG_TRC, xq->dev, "xq_process_loopback()\n");
+  if (offset > ETH_MAX_PACKET - 8)
+      return SCPE_NOFNC;
+  function = pack->msg[offset] | (pack->msg[offset+1] << 8);
+
+  sim_debug(DBG_TRC, xq->dev, "xq_process_loopback(function=%d)\n", function);
 
   if (function != 2 /*forward*/)
     return SCPE_NOFNC;