[Qemu-devel] [PATCH 14/16] cadence_gem: avoid stack-writing buffer-overrun

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Peter Maydell <peter.maydell@linaro.org>
To: Blue Swirl <blauwirbel@gmail.com>
Cc: Anthony Liguori <aliguori@us.ibm.com>,
	qemu-devel@nongnu.org, Paul Brook <paul@codesourcery.com>
Subject: [Qemu-devel] [PATCH 14/16] cadence_gem: avoid stack-writing buffer-overrun
Date: Tue, 19 Jun 2012 14:31:11 +0100	[thread overview]
Message-ID: <1340112673-14846-15-git-send-email-peter.maydell@linaro.org> (raw)
In-Reply-To: <1340112673-14846-1-git-send-email-peter.maydell@linaro.org>

From: Jim Meyering <meyering@redhat.com>

Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
of bytes to clear.  The latter would always clear 4 or 8
bytes, possibly writing beyond the end of that stack buffer.
Alternatively, depending on the value of the "size" parameter,
it could fail to initialize the end of "rxbuf".
Spotted by coverity.

Signed-off-by: Jim Meyering <meyering@redhat.com>
Reviewed-by: Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/cadence_gem.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
index e2140ae..dbde392 100644
--- a/hw/cadence_gem.c
+++ b/hw/cadence_gem.c
@@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
          */
 
         memcpy(rxbuf, buf, size);
-        memset(rxbuf + size, 0, sizeof(rxbuf - size));
+        memset(rxbuf + size, 0, sizeof(rxbuf) - size);
         rxbuf_ptr = rxbuf;
         crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
         if (size < 60) {
-- 
1.7.1

next prev parent reply	other threads:[~2012-06-19 13:56 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-06-19 13:30 [Qemu-devel] [PULL 00/16] arm-devs queue Peter Maydell
2012-06-19 13:30 ` [Qemu-devel] [PATCH 01/16] ARM: Exynos4210 IRQ: Introduce new IRQ gate functionality Peter Maydell
2012-06-19 13:30 ` [Qemu-devel] [PATCH 02/16] arm_boot: Fix typos in comment Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 03/16] hw/arm_gic: Remove NVIC ifdefs from gic_state struct Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 04/16] hw/arm_gic: Remove the special casing of NCPU for the NVIC Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 05/16] hw/arm_gic: Move NVIC specific reset to armv7m_nvic_reset Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 06/16] hw/armv7m_nvic: Use MemoryRegions for NVIC specific registers Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 07/16] hw/arm_gic: Add qdev property for GIC revision Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 08/16] hw/arm_gic: Make CPU target registers RAZ/WI on uniprocessor Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 09/16] hw/arm_gic.c: Make NVIC interrupt numbering a runtime setting Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 10/16] hw/arm_gic: Move CPU interface memory region setup into arm_gic_init Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 11/16] hw/armv7m_nvic: Make the NVIC a freestanding class Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 12/16] hw/omap.h: Drop broken MEM_VERBOSE tracing Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 13/16] hw/a9mpcore: Fix compilation failure if physaddrs are 64 bit Peter Maydell
2012-06-19 13:31 ` Peter Maydell [this message]
2012-06-20  1:47   ` [Qemu-devel] [PATCH 14/16] cadence_gem: avoid stack-writing buffer-overrun Peter Crosthwaite
2012-06-19 13:31 ` [Qemu-devel] [PATCH 15/16] cadence_ttc: changed master clock frequency Peter Maydell
2012-06-19 13:31 ` [Qemu-devel] [PATCH 16/16] arm_boot: Conditionalised DTB command line update Peter Maydell
2012-06-24 12:26 ` [Qemu-devel] [PULL 00/16] arm-devs queue Blue Swirl

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e2140ae dfblob:dbde392 )
 OR (
bs:"[Qemu-devel] [PATCH 14/16] cadence_gem: avoid stack-writing buffer-overrun" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1340112673-14846-15-git-send-email-peter.maydell@linaro.org \
    --to=peter.maydell@linaro.org \
    --cc=aliguori@us.ibm.com \
    --cc=blauwirbel@gmail.com \
    --cc=paul@codesourcery.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).