From: Eric Sesterhenn / Snakebyte <snakebyte@gmx.de>
To: Mikael Pettersson <mikpe@it.uu.se>
Cc: linux-kernel@vger.kernel.org, snakebyte@gmx.de, gregkh@suse.de
Subject: Re: [Patch] Off by one in drivers/usb/serial/usb-serial.c
Date: Mon, 26 Jun 2006 00:59:21 +0200 [thread overview]
Message-ID: <20060625225920.GA16834@alice> (raw)
In-Reply-To: <200606221331.k5MDVua9010794@harpo.it.uu.se>
* Mikael Pettersson (mikpe@it.uu.se) wrote:
> On Wed, 21 Jun 2006 23:28:17 +0200, Eric Sesterhenn wrote:
> > this fixes coverity id #554. since serial table
> > is defines as serial_table[SERIAL_TTY_MINORS] we
> > should make sure we dont acess with an index
> > of SERIAL_TTY_MINORS.
> >
> > Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
> >
> > --- linux-2.6.17-git2/drivers/usb/serial/usb-serial.c.orig 2006-06-21 23:24:07.000000000 +0200
> > +++ linux-2.6.17-git2/drivers/usb/serial/usb-serial.c 2006-06-21 23:25:12.000000000 +0200
> > @@ -83,7 +83,7 @@ static struct usb_serial *get_free_seria
> >
> > good_spot = 1;
> > for (j = 1; j <= num_ports-1; ++j)
> > - if ((i+j >= SERIAL_TTY_MINORS) || (serial_table[i+j])) {
> > + if ((i+j >= SERIAL_TTY_MINORS-1)||(serial_table[i+j])) {
> > good_spot = 0;
> > i += j;
> > break;
>
> Where is the access coverity complained about? If it's the serial_table[i+j]
> quoted above, then the original code is OK since i+j < SERIAL_TTY_MINORS is
> an invariant in that subexpression.
>
> And the other accesses to serial_table[] in get_free_serial() are also only
> done when the index is < SERIAL_TTY_MINORS.
guess i was too quick on that one, sorry. Here is the coverity
report for completeness.
Event assignment: Assigning "1" to "j"
Also see events: [overrun-local]
At conditional (11): "j <= (num_ports - 1)" taking true path
At conditional (16): "j <= (num_ports - 1)" taking true path
85 for (j = 1; j <= num_ports-1; ++j)
Event overrun-local: Overrun of static array "serial_table" of size 255
at position 255 with index variable "(i + j)"
Also see events: [assignment]
At conditional (12): "(i + j) >= 255" taking true path
At conditional (17): "(i + j) >= 255" taking false path
86 if ((i+j >= SERIAL_TTY_MINORS) ||
(serial_table[i+j])) {
87 good_spot = 0;
88 i += j;
89 break;
90 }
greetings, Eric
next prev parent reply other threads:[~2006-06-25 22:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-22 13:31 [Patch] Off by one in drivers/usb/serial/usb-serial.c Mikael Pettersson
2006-06-22 14:28 ` Eric Sesterhenn / Snakebyte
2006-06-25 22:59 ` Eric Sesterhenn / Snakebyte [this message]
2006-06-26 19:10 ` Greg KH
2006-06-26 19:30 ` Eric Sesterhenn / Snakebyte
-- strict thread matches above, loose matches on Subject: below --
2006-06-21 21:28 Eric Sesterhenn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060625225920.GA16834@alice \
--to=snakebyte@gmx.de \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mikpe@it.uu.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.