From: Greg KH <gregkh@suse.de>
To: Eric Sesterhenn / Snakebyte <snakebyte@gmx.de>
Cc: Mikael Pettersson <mikpe@it.uu.se>, linux-kernel@vger.kernel.org
Subject: Re: [Patch] Off by one in drivers/usb/serial/usb-serial.c
Date: Mon, 26 Jun 2006 12:10:07 -0700 [thread overview]
Message-ID: <20060626191007.GA21925@suse.de> (raw)
In-Reply-To: <20060625225920.GA16834@alice>
On Mon, Jun 26, 2006 at 12:59:21AM +0200, Eric Sesterhenn / Snakebyte wrote:
> * Mikael Pettersson (mikpe@it.uu.se) wrote:
> > On Wed, 21 Jun 2006 23:28:17 +0200, Eric Sesterhenn wrote:
> > > this fixes coverity id #554. since serial table
> > > is defines as serial_table[SERIAL_TTY_MINORS] we
> > > should make sure we dont acess with an index
> > > of SERIAL_TTY_MINORS.
> > >
> > > Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
> > >
> > > --- linux-2.6.17-git2/drivers/usb/serial/usb-serial.c.orig 2006-06-21 23:24:07.000000000 +0200
> > > +++ linux-2.6.17-git2/drivers/usb/serial/usb-serial.c 2006-06-21 23:25:12.000000000 +0200
> > > @@ -83,7 +83,7 @@ static struct usb_serial *get_free_seria
> > >
> > > good_spot = 1;
> > > for (j = 1; j <= num_ports-1; ++j)
> > > - if ((i+j >= SERIAL_TTY_MINORS) || (serial_table[i+j])) {
> > > + if ((i+j >= SERIAL_TTY_MINORS-1)||(serial_table[i+j])) {
> > > good_spot = 0;
> > > i += j;
> > > break;
> >
> > Where is the access coverity complained about? If it's the serial_table[i+j]
> > quoted above, then the original code is OK since i+j < SERIAL_TTY_MINORS is
> > an invariant in that subexpression.
> >
> > And the other accesses to serial_table[] in get_free_serial() are also only
> > done when the index is < SERIAL_TTY_MINORS.
>
> guess i was too quick on that one, sorry. Here is the coverity
> report for completeness.
>
> Event assignment: Assigning "1" to "j"
> Also see events: [overrun-local]
> At conditional (11): "j <= (num_ports - 1)" taking true path
> At conditional (16): "j <= (num_ports - 1)" taking true path
>
> 85 for (j = 1; j <= num_ports-1; ++j)
>
> Event overrun-local: Overrun of static array "serial_table" of size 255
> at position 255 with index variable "(i + j)"
> Also see events: [assignment]
> At conditional (12): "(i + j) >= 255" taking true path
> At conditional (17): "(i + j) >= 255" taking false path
>
> 86 if ((i+j >= SERIAL_TTY_MINORS) ||
> (serial_table[i+j])) {
> 87 good_spot = 0;
> 88 i += j;
> 89 break;
> 90 }
So, what does this mean? That coverity is broken, yet again?
I'm getting very tired of these false positives from them, it is getting
so that I can't trust the output of the tool at all :(
thanks,
greg k-h
next prev parent reply other threads:[~2006-06-26 19:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-22 13:31 [Patch] Off by one in drivers/usb/serial/usb-serial.c Mikael Pettersson
2006-06-22 14:28 ` Eric Sesterhenn / Snakebyte
2006-06-25 22:59 ` Eric Sesterhenn / Snakebyte
2006-06-26 19:10 ` Greg KH [this message]
2006-06-26 19:30 ` Eric Sesterhenn / Snakebyte
-- strict thread matches above, loose matches on Subject: below --
2006-06-21 21:28 Eric Sesterhenn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060626191007.GA21925@suse.de \
--to=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mikpe@it.uu.se \
--cc=snakebyte@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox