question about smatch error

question about smatch error

[Roland Dreier]

Hi Dan,

I'm running smatch against some of my code, and I'm seeing the errors

drivers/infiniband/hw/mlx4/main.c +784 mlx4_addrconf_ifid_eui48(5) error: buffer overflow 'eui' 3 <= 3
drivers/infiniband/hw/mlx4/main.c +785 mlx4_addrconf_ifid_eui48(6) error: buffer overflow 'eui' 3 <= 4
drivers/infiniband/hw/mlx4/main.c +787 mlx4_addrconf_ifid_eui48(8) error: buffer overflow 'eui' 3 <= 3
drivers/infiniband/hw/mlx4/main.c +788 mlx4_addrconf_ifid_eui48(9) error: buffer overflow 'eui' 3 <= 4

and I can't understand what smatch is trying to say -- the code in
question is basically

	if (vlan_id < 0x1000) {
		eui[3] = vlan_id >> 8;
		eui[4] = vlan_id & 0xff;
	} else {
		eui[3] = 0xff;
		eui[4] = 0xfe;
	}

where eui is a u8*, and I don't see how smatch even thinks it knows how
big the buffer is in the first place.

This is with up-to-date smatch from git (my tree is at 798c4c13).

Thanks,
  Roland

Re: question about smatch error

[David Miller]

From: Roland Dreier <rdreier@cisco.com>
Date: Sun, 16 Jan 2011 21:02:52 -0800

> where eui is a u8*, and I don't see how smatch even thinks it knows how
> big the buffer is in the first place.

It can see that the one and only caller passes in a pointer in the
middle of an on-stack ib_gid struct, and it knows how big those
objects are.

Re: question about smatch error

[Dan Carpenter]

On Sun, Jan 16, 2011 at 09:02:52PM -0800, Roland Dreier wrote:
> where eui is a u8*, and I don't see how smatch even thinks it knows how
> big the buffer is in the first place.
> 

It comes from the memcpy:

        memcpy(eui, dev->dev_addr, 3);
        memcpy(eui + 5, dev->dev_addr + 3, 3);

The first line means smatch thinks "eui" is a 3 char buffer.  The second
line gets ignored but normally smatch would see "eui + 5" as a separate
buffer.

Really when it sees the memcpy() that's just a guess about the size, 
I'll disable it by default unless you use the --spammy option.

regards,
dan carpenter