From: Stefan Weil <sw@weilnetz.de>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: Blue Swirl <blauwirbel@gmail.com>,
Jim Meyering <meyering@redhat.com>,
Peter Crosthwaite <peter.crosthwaite@petalogix.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-overrun
Date: Sun, 10 Jun 2012 22:34:13 +0200 [thread overview]
Message-ID: <4FD504C5.6080101@weilnetz.de> (raw)
In-Reply-To: <CAEgOgz4kvc5Lpex8DoxK4YLbfJ_BrX_V+eBricah6uCoEThFOg@mail.gmail.com>
Am 14.05.2012 06:57, schrieb Peter Crosthwaite:
> ACK and Thanks Jim,
>
> Reviewed-by: Peter A.G. Crosthwaite<peter.crosthwaite@petalogix.com>
>
> On Fri, May 11, 2012 at 2:19 AM, Jim Meyering<jim@meyering.net> wrote:
>
>> From: Jim Meyering<meyering@redhat.com>
>>
>> Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
>> of bytes to clear. The latter would always clear 4 or 8
>> bytes, possibly writing beyond the end of that stack buffer.
>> Alternatively, depending on the value of the "size" parameter,
>> it could fail to initialize the end of "rxbuf".
>> Spotted by coverity.
>>
>> Signed-off-by: Jim Meyering<meyering@redhat.com>
>> ---
>> hw/cadence_gem.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
>> index e2140ae..dbde392 100644
>> --- a/hw/cadence_gem.c
>> +++ b/hw/cadence_gem.c
>> @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
>> */
>>
>> memcpy(rxbuf, buf, size);
>> - memset(rxbuf + size, 0, sizeof(rxbuf - size));
>> + memset(rxbuf + size, 0, sizeof(rxbuf) - size);
>> rxbuf_ptr = rxbuf;
>> crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
>> if (size< 60) {
>> --
>> 1.7.10.1.487.ga3935e6
>>
Ping. This patch is still missing in 1.1 and master.
prev parent reply other threads:[~2012-06-10 20:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-10 16:19 [Qemu-devel] [PATCH 0/2] memset/sizeof abuse Jim Meyering
2012-05-10 16:19 ` [Qemu-devel] [PATCH 1/2] kvm/apic: correct short memset Jim Meyering
2012-05-10 17:28 ` Jan Kiszka
2012-05-22 20:30 ` [Qemu-devel] [PATCH 1.1 " Stefan Weil
2012-05-23 10:33 ` Jan Kiszka
2012-06-10 20:29 ` Stefan Weil
2012-06-11 5:29 ` Jan Kiszka
2012-06-11 9:58 ` [Qemu-devel] [PATCH " Avi Kivity
2012-05-10 16:19 ` [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-overrun Jim Meyering
2012-05-14 4:57 ` Peter Crosthwaite
2012-06-10 20:34 ` Stefan Weil [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FD504C5.6080101@weilnetz.de \
--to=sw@weilnetz.de \
--cc=aliguori@us.ibm.com \
--cc=blauwirbel@gmail.com \
--cc=meyering@redhat.com \
--cc=peter.crosthwaite@petalogix.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.