From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:56686) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SSW5s-0001Qr-GW for qemu-devel@nongnu.org; Thu, 10 May 2012 12:20:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SSW5n-0007uF-13 for qemu-devel@nongnu.org; Thu, 10 May 2012 12:19:56 -0400 Received: from mx.meyering.net ([88.168.87.75]:42157) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SSW5m-0007tq-QW for qemu-devel@nongnu.org; Thu, 10 May 2012 12:19:50 -0400 From: Jim Meyering Date: Thu, 10 May 2012 18:19:48 +0200 Message-Id: <1336666788-30233-3-git-send-email-jim@meyering.net> In-Reply-To: <1336666788-30233-1-git-send-email-jim@meyering.net> References: <1336666788-30233-1-git-send-email-jim@meyering.net> Subject: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-overrun List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Jim Meyering , Peter Crosthwaite From: Jim Meyering Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number of bytes to clear. The latter would always clear 4 or 8 bytes, possibly writing beyond the end of that stack buffer. Alternatively, depending on the value of the "size" parameter, it could fail to initialize the end of "rxbuf". Spotted by coverity. Signed-off-by: Jim Meyering --- hw/cadence_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c index e2140ae..dbde392 100644 --- a/hw/cadence_gem.c +++ b/hw/cadence_gem.c @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size) */ memcpy(rxbuf, buf, size); - memset(rxbuf + size, 0, sizeof(rxbuf - size)); + memset(rxbuf + size, 0, sizeof(rxbuf) - size); rxbuf_ptr = rxbuf; crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60))); if (size < 60) { -- 1.7.10.1.487.ga3935e6