diff --git a/chb/buffer/LibraryCallCallsites.py b/chb/buffer/LibraryCallCallsites.py
index cbb7219c..70d3f37c 100644
--- a/chb/buffer/LibraryCallCallsites.py
+++ b/chb/buffer/LibraryCallCallsites.py
@@ -212,6 +212,25 @@ def lenarg(self) -> Optional["XXpr"]:
                     return self.instr.call_arguments[lenindex - 1]
         return None
 
+    @property
+    def lenaddr(self) -> Optional[str]:
+        if self.lenarg is None:
+            return None
+        regname = str(self.lenarg)
+        locs = self.instr.reaching_definitions(regname)
+        valid = [loc for loc in locs if loc != "init"]
+        if len(valid) == 1:
+            return valid[0]
+        elif len(valid) == 0:
+            chklogger.logger.warning(
+                "No valid reaching def for %s at %s", regname, self.instr.iaddr)
+            return None
+        else:
+            # Multiple reaching defs means a join point — ambiguous, can't patch
+            chklogger.logger.warning(
+                "Multiple reaching defs for %s at %s: %s", regname, self.instr.iaddr, valid)
+            return None
+
     @property
     def lentype(self) -> str:
         lenarg = self.lenarg
@@ -254,6 +273,7 @@ def to_json_result(self,
         content["stack-offset"] = dstoffset
         if self.lenarg is not None:
             content["length-argument"] = str(self.lenarg)
+            content["length-addr"] = self.lenaddr
         else:
             content["length-argument"] = None
         content["spare"] = spare