[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-ove
From: |
Peter Crosthwaite |
Subject: |
Re: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-overrun |
Date: |
Mon, 14 May 2012 14:57:17 +1000 |
ACK and Thanks Jim,
Reviewed-by: Peter A.G. Crosthwaite <address@hidden>
On Fri, May 11, 2012 at 2:19 AM, Jim Meyering <address@hidden> wrote:
> From: Jim Meyering <address@hidden>
>
> Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
> of bytes to clear. The latter would always clear 4 or 8
> bytes, possibly writing beyond the end of that stack buffer.
> Alternatively, depending on the value of the "size" parameter,
> it could fail to initialize the end of "rxbuf".
> Spotted by coverity.
>
> Signed-off-by: Jim Meyering <address@hidden>
> ---
> hw/cadence_gem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
> index e2140ae..dbde392 100644
> --- a/hw/cadence_gem.c
> +++ b/hw/cadence_gem.c
> @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const
> uint8_t *buf, size_t size)
> */
>
> memcpy(rxbuf, buf, size);
> - memset(rxbuf + size, 0, sizeof(rxbuf - size));
> + memset(rxbuf + size, 0, sizeof(rxbuf) - size);
> rxbuf_ptr = rxbuf;
> crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
> if (size < 60) {
> --
> 1.7.10.1.487.ga3935e6
>