From: Eric Sesterhenn / Snakebyte <snakebyte@gmx.de>
To: Mikael Pettersson <mikpe@it.uu.se>
Cc: linux-kernel@vger.kernel.org, snakebyte@gmx.de, gregkh@suse.de
Subject: Re: [Patch] Off by one in drivers/usb/serial/usb-serial.c
Date: Mon, 26 Jun 2006 00:59:21 +0200 [thread overview]
Message-ID: <20060625225920.GA16834@alice> (raw)
In-Reply-To: <200606221331.k5MDVua9010794@harpo.it.uu.se>
* Mikael Pettersson (mikpe@it.uu.se) wrote:
> On Wed, 21 Jun 2006 23:28:17 +0200, Eric Sesterhenn wrote:
> > this fixes coverity id #554. since serial table
> > is defines as serial_table[SERIAL_TTY_MINORS] we
> > should make sure we dont acess with an index
> > of SERIAL_TTY_MINORS.
> >
> > Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
> >
> > --- linux-2.6.17-git2/drivers/usb/serial/usb-serial.c.orig 2006-06-21 23:24:07.000000000 +0200
> > +++ linux-2.6.17-git2/drivers/usb/serial/usb-serial.c 2006-06-21 23:25:12.000000000 +0200
> > @@ -83,7 +83,7 @@ static struct usb_serial *get_free_seria
> >
> > good_spot = 1;
> > for (j = 1; j <= num_ports-1; ++j)
> > - if ((i+j >= SERIAL_TTY_MINORS) || (serial_table[i+j])) {
> > + if ((i+j >= SERIAL_TTY_MINORS-1)||(serial_table[i+j])) {
> > good_spot = 0;
> > i += j;
> > break;
>
> Where is the access coverity complained about? If it's the serial_table[i+j]
> quoted above, then the original code is OK since i+j < SERIAL_TTY_MINORS is
> an invariant in that subexpression.
>
> And the other accesses to serial_table[] in get_free_serial() are also only
> done when the index is < SERIAL_TTY_MINORS.
guess i was too quick on that one, sorry. Here is the coverity
report for completeness.
Event assignment: Assigning "1" to "j"
Also see events: [overrun-local]
At conditional (11): "j <= (num_ports - 1)" taking true path
At conditional (16): "j <= (num_ports - 1)" taking true path
85 for (j = 1; j <= num_ports-1; ++j)
Event overrun-local: Overrun of static array "serial_table" of size 255
at position 255 with index variable "(i + j)"
Also see events: [assignment]
At conditional (12): "(i + j) >= 255" taking true path
At conditional (17): "(i + j) >= 255" taking false path
86 if ((i+j >= SERIAL_TTY_MINORS) ||
(serial_table[i+j])) {
87 good_spot = 0;
88 i += j;
89 break;
90 }
greetings, Eric
next prev parent reply other threads:[~2006-06-25 22:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-22 13:31 [Patch] Off by one in drivers/usb/serial/usb-serial.c Mikael Pettersson
2006-06-22 14:28 ` Eric Sesterhenn / Snakebyte
2006-06-25 22:59 ` Eric Sesterhenn / Snakebyte [this message]
2006-06-26 19:10 ` Greg KH
2006-06-26 19:30 ` Eric Sesterhenn / Snakebyte
-- strict thread matches above, loose matches on Subject: below --
2006-06-21 21:28 Eric Sesterhenn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060625225920.GA16834@alice \
--to=snakebyte@gmx.de \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mikpe@it.uu.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox