From: Greg KH <gregkh@suse.de>
To: Eric Sesterhenn / Snakebyte <snakebyte@gmx.de>
Cc: Mikael Pettersson <mikpe@it.uu.se>, linux-kernel@vger.kernel.org
Subject: Re: [Patch] Off by one in drivers/usb/serial/usb-serial.c
Date: Mon, 26 Jun 2006 12:10:07 -0700 [thread overview]
Message-ID: <20060626191007.GA21925@suse.de> (raw)
In-Reply-To: <20060625225920.GA16834@alice>
On Mon, Jun 26, 2006 at 12:59:21AM +0200, Eric Sesterhenn / Snakebyte wrote:
> * Mikael Pettersson (mikpe@it.uu.se) wrote:
> > On Wed, 21 Jun 2006 23:28:17 +0200, Eric Sesterhenn wrote:
> > > this fixes coverity id #554. since serial table
> > > is defines as serial_table[SERIAL_TTY_MINORS] we
> > > should make sure we dont acess with an index
> > > of SERIAL_TTY_MINORS.
> > >
> > > Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
> > >
> > > --- linux-2.6.17-git2/drivers/usb/serial/usb-serial.c.orig 2006-06-21 23:24:07.000000000 +0200
> > > +++ linux-2.6.17-git2/drivers/usb/serial/usb-serial.c 2006-06-21 23:25:12.000000000 +0200
> > > @@ -83,7 +83,7 @@ static struct usb_serial *get_free_seria
> > >
> > > good_spot = 1;
> > > for (j = 1; j <= num_ports-1; ++j)
> > > - if ((i+j >= SERIAL_TTY_MINORS) || (serial_table[i+j])) {
> > > + if ((i+j >= SERIAL_TTY_MINORS-1)||(serial_table[i+j])) {
> > > good_spot = 0;
> > > i += j;
> > > break;
> >
> > Where is the access coverity complained about? If it's the serial_table[i+j]
> > quoted above, then the original code is OK since i+j < SERIAL_TTY_MINORS is
> > an invariant in that subexpression.
> >
> > And the other accesses to serial_table[] in get_free_serial() are also only
> > done when the index is < SERIAL_TTY_MINORS.
>
> guess i was too quick on that one, sorry. Here is the coverity
> report for completeness.
>
> Event assignment: Assigning "1" to "j"
> Also see events: [overrun-local]
> At conditional (11): "j <= (num_ports - 1)" taking true path
> At conditional (16): "j <= (num_ports - 1)" taking true path
>
> 85 for (j = 1; j <= num_ports-1; ++j)
>
> Event overrun-local: Overrun of static array "serial_table" of size 255
> at position 255 with index variable "(i + j)"
> Also see events: [assignment]
> At conditional (12): "(i + j) >= 255" taking true path
> At conditional (17): "(i + j) >= 255" taking false path
>
> 86 if ((i+j >= SERIAL_TTY_MINORS) ||
> (serial_table[i+j])) {
> 87 good_spot = 0;
> 88 i += j;
> 89 break;
> 90 }
So, what does this mean? That coverity is broken, yet again?
I'm getting very tired of these false positives from them, it is getting
so that I can't trust the output of the tool at all :(
thanks,
greg k-h
next prev parent reply other threads:[~2006-06-26 19:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-22 13:31 [Patch] Off by one in drivers/usb/serial/usb-serial.c Mikael Pettersson
2006-06-22 14:28 ` Eric Sesterhenn / Snakebyte
2006-06-25 22:59 ` Eric Sesterhenn / Snakebyte
2006-06-26 19:10 ` Greg KH [this message]
2006-06-26 19:30 ` Eric Sesterhenn / Snakebyte
-- strict thread matches above, loose matches on Subject: below --
2006-06-21 21:28 Eric Sesterhenn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060626191007.GA21925@suse.de \
--to=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mikpe@it.uu.se \
--cc=snakebyte@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.