qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-ove

From: Peter Crosthwaite
Subject: Re: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-overrun
Date: Mon, 14 May 2012 14:57:17 +1000 
ACK and Thanks Jim,

Reviewed-by: Peter A.G. Crosthwaite <address@hidden>

On Fri, May 11, 2012 at 2:19 AM, Jim Meyering <address@hidden> wrote:
> From: Jim Meyering <address@hidden>
>
> Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
> of bytes to clear.  The latter would always clear 4 or 8
> bytes, possibly writing beyond the end of that stack buffer.
> Alternatively, depending on the value of the "size" parameter,
> it could fail to initialize the end of "rxbuf".
> Spotted by coverity.
>
> Signed-off-by: Jim Meyering <address@hidden>
> ---
>  hw/cadence_gem.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
> index e2140ae..dbde392 100644
> --- a/hw/cadence_gem.c
> +++ b/hw/cadence_gem.c
> @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const 
> uint8_t *buf, size_t size)
>          */
>
>         memcpy(rxbuf, buf, size);
> -        memset(rxbuf + size, 0, sizeof(rxbuf - size));
> +        memset(rxbuf + size, 0, sizeof(rxbuf) - size);
>         rxbuf_ptr = rxbuf;
>         crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
>         if (size < 60) {
> --
> 1.7.10.1.487.ga3935e6
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]