From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:36970)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1Sdoq1-0007Xi-Tg
	for qemu-devel@nongnu.org; Sun, 10 Jun 2012 16:34:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1Sdoq0-0005pP-1F
	for qemu-devel@nongnu.org; Sun, 10 Jun 2012 16:34:17 -0400
Received: from v220110690675601.yourvserver.net ([78.47.199.172]:59762)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1Sdopz-0005pE-Rh
	for qemu-devel@nongnu.org; Sun, 10 Jun 2012 16:34:15 -0400
Message-ID: <4FD504C5.6080101@weilnetz.de>
Date: Sun, 10 Jun 2012 22:34:13 +0200
From: Stefan Weil <sw@weilnetz.de>
MIME-Version: 1.0
References: <1336666788-30233-1-git-send-email-jim@meyering.net>	<1336666788-30233-3-git-send-email-jim@meyering.net>
	<CAEgOgz4kvc5Lpex8DoxK4YLbfJ_BrX_V+eBricah6uCoEThFOg@mail.gmail.com>
In-Reply-To: <CAEgOgz4kvc5Lpex8DoxK4YLbfJ_BrX_V+eBricah6uCoEThFOg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid
	stack-writing	buffer-overrun
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: Blue Swirl <blauwirbel@gmail.com>, Jim Meyering <meyering@redhat.com>, Peter Crosthwaite <peter.crosthwaite@petalogix.com>, qemu-devel@nongnu.org

Am 14.05.2012 06:57, schrieb Peter Crosthwaite:
> ACK and Thanks Jim,
>
> Reviewed-by: Peter A.G. Crosthwaite<peter.crosthwaite@petalogix.com>
>
> On Fri, May 11, 2012 at 2:19 AM, Jim Meyering<jim@meyering.net>  wrote:
>    
>> From: Jim Meyering<meyering@redhat.com>
>>
>> Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
>> of bytes to clear.  The latter would always clear 4 or 8
>> bytes, possibly writing beyond the end of that stack buffer.
>> Alternatively, depending on the value of the "size" parameter,
>> it could fail to initialize the end of "rxbuf".
>> Spotted by coverity.
>>
>> Signed-off-by: Jim Meyering<meyering@redhat.com>
>> ---
>>   hw/cadence_gem.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
>> index e2140ae..dbde392 100644
>> --- a/hw/cadence_gem.c
>> +++ b/hw/cadence_gem.c
>> @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
>>           */
>>
>>          memcpy(rxbuf, buf, size);
>> -        memset(rxbuf + size, 0, sizeof(rxbuf - size));
>> +        memset(rxbuf + size, 0, sizeof(rxbuf) - size);
>>          rxbuf_ptr = rxbuf;
>>          crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
>>          if (size<  60) {
>> --
>> 1.7.10.1.487.ga3935e6
>>      


Ping. This patch is still missing in 1.1 and master.