[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] xilinx_spips: Correct usage of an uninitialized
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] [PATCH] xilinx_spips: Correct usage of an uninitialized local variable |
|
Date: |
Tue, 16 Jan 2018 11:54:41 +0000 |
On 14 January 2018 at 22:55, Francisco Iglesias
<address@hidden> wrote:
> Coverity found that the variable tx_rx in the function
> xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
> patch corrects this by always initializing tx_rx to zeros.
>
> Signed-off-by: Francisco Iglesias <address@hidden>
> ---
> hw/ssi/xilinx_spips.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index d8187fa..77e1bbe 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -210,6 +210,8 @@
> #define SNOOP_NONE 0xEE
> #define SNOOP_STRIPING 0
>
> +#define MAX_NUM_EFFECTIVE_BUSSES 2
> +
> static inline int num_effective_busses(XilinxSPIPS *s)
> {
> return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
> @@ -573,7 +575,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
> for (;;) {
> int i;
> uint8_t tx = 0;
> - uint8_t tx_rx[num_effective_busses(s)];
> + uint8_t tx_rx[MAX_NUM_EFFECTIVE_BUSSES] = { 0 };
> uint8_t dummy_cycles = 0;
> uint8_t addr_length;
It doesn't look like your device's realize method is sanity checking
the num_busses property, so this change means that the user can
make the device model segfault by passing it a num_busses property
value larger than 2...
thanks
-- PMM