drivers/net/at1700.c: at1700_probe1: array overflow

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* drivers/net/at1700.c: at1700_probe1: array overflow
@ 2005-03-25 18:18 Adrian Bunk
  2005-03-25 18:42 ` Roland Dreier
  0 siblings, 1 reply; 4+ messages in thread
From: Adrian Bunk @ 2005-03-25 18:18 UTC (permalink / raw)
  To: jgarzik; +Cc: linux-net, linux-kernel

The Coverity checker found the following:

<--  snip  -->

...
static int at1700_ioaddr_pattern[] __initdata = {
        0x00, 0x04, 0x01, 0x05, 0x02, 0x06, 0x03, 0x07
};
...
static int __init at1700_probe1(struct net_device *dev, int ioaddr)
{
...
	for (l_i = 0; l_i < 0x09; l_i++)
		if (( pos3 & 0x07) == at1700_ioaddr_pattern[l_i])
			break;
	ioaddr = at1700_mca_probe_list[l_i];
...
}
...

<--  snip  -->


This can result in indexing in an array with 8 entries the 10th entry.


cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: drivers/net/at1700.c: at1700_probe1: array overflow
  2005-03-25 18:18 drivers/net/at1700.c: at1700_probe1: array overflow Adrian Bunk
@ 2005-03-25 18:42 ` Roland Dreier
  2005-03-25 20:38   ` Adrian Bunk
  0 siblings, 1 reply; 4+ messages in thread
From: Roland Dreier @ 2005-03-25 18:42 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: jgarzik, linux-net, linux-kernel

    Adrian> This can result in indexing in an array with 8 entries the
    Adrian> 10th entry.

Well, not really, since the first 8 entries of the array have every
3-bit pattern.  So pos3 & 0x07 will always match one of them.

I agree it would be cleaner to make the loop only go up to 7 though.

 - R.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: drivers/net/at1700.c: at1700_probe1: array overflow
  2005-03-25 18:42 ` Roland Dreier
@ 2005-03-25 20:38   ` Adrian Bunk
  2005-03-30  0:49     ` null
  0 siblings, 1 reply; 4+ messages in thread
From: Adrian Bunk @ 2005-03-25 20:38 UTC (permalink / raw)
  To: Roland Dreier; +Cc: jgarzik, linux-net, linux-kernel

On Fri, Mar 25, 2005 at 10:42:11AM -0800, Roland Dreier wrote:
>     Adrian> This can result in indexing in an array with 8 entries the
>     Adrian> 10th entry.
> 
> Well, not really, since the first 8 entries of the array have every
> 3-bit pattern.  So pos3 & 0x07 will always match one of them.
> 
> I agree it would be cleaner to make the loop only go up to 7 though.

You either have this (impossible) overflow, or the case l_i == 7 isn't 
tested explicitely.

I'd say simply leave it as it is now.

But if noone disagrees, I'm inclined to add a comment.

>  - R.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: drivers/net/at1700.c: at1700_probe1: array overflow
  2005-03-25 20:38   ` Adrian Bunk
@ 2005-03-30  0:49     ` null
  0 siblings, 0 replies; 4+ messages in thread
From: null @ 2005-03-30  0:49 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: Roland Dreier, jgarzik, linux-net, linux-kernel

On Fri, 25 Mar 2005, Adrian Bunk wrote:

> Date: Fri, 25 Mar 2005 21:38:20 +0100
> From: Adrian Bunk <bunk@stusta.de>
> To: Roland Dreier <roland@topspin.com>
> Cc: jgarzik@pobox.com, linux-net@vger.kernel.org,
>      linux-kernel@vger.kernel.org
> Subject: Re: drivers/net/at1700.c: at1700_probe1: array overflow
>
> On Fri, Mar 25, 2005 at 10:42:11AM -0800, Roland Dreier wrote:
> >     Adrian> This can result in indexing in an array with 8 entries the
> >     Adrian> 10th entry.
> >
> > Well, not really, since the first 8 entries of the array have every
> > 3-bit pattern.  So pos3 & 0x07 will always match one of them.
> >
> > I agree it would be cleaner to make the loop only go up to 7 though.
>
> You either have this (impossible) overflow, or the case l_i == 7 isn't
> tested explicitely.
>
> I'd say simply leave it as it is now.
>
> But if noone disagrees, I'm inclined to add a comment.
>
> >  - R.
>
> cu
> Adrian
>

But on the other hand why loop if you don't have to?

static int at1700_ioaddr_pattern[] __initdata = {
-         0x00, 0x04, 0x01, 0x05, 0x02, 0x06, 0x03, 0x07
+         0x00, 0x02, 0x04, 0x06, 0x01, 0x03, 0x05, 0x07
};
...

static int __init at1700_probe1(struct net_device *dev, int ioaddr)
{
...
-       for (l_i = 0; l_i < 0x09; l_i++)
-               if (( pos3 & 0x07) == at1700_ioaddr_pattern[l_i])
-                       break;
-       ioaddr = at1700_mca_probe_list[l_i];
+       ioaddr = at1700_mca_probe_list[at1700_ioaddr_pattern[pos3&7]];
...
}


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2005-03-30  0:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-25 18:18 drivers/net/at1700.c: at1700_probe1: array overflow Adrian Bunk
2005-03-25 18:42 ` Roland Dreier
2005-03-25 20:38   ` Adrian Bunk
2005-03-30  0:49     ` null

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox