Re: [Qemu-devel] [PATCH] e1000: cleanup process_tx_desc

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: Andrew Jones <drjones@redhat.com>
Cc: jasowang@redhat.com, pbonzini@redhat.com, aliguori@us.ibm.com,
	qemu-devel@nongnu.org, stefanha@redhat.com
Subject: Re: [Qemu-devel] [PATCH] e1000: cleanup process_tx_desc
Date: Tue, 4 Jun 2013 13:58:30 +0300	[thread overview]
Message-ID: <20130604105830.GA13194@redhat.com> (raw)
In-Reply-To: <1370272838-15373-1-git-send-email-drjones@redhat.com>

On Mon, Jun 03, 2013 at 05:20:38PM +0200, Andrew Jones wrote:
> Coverity complains about two overruns in process_tx_desc(). The
> complaints are false positives, but we might as well eliminate
> them. The problem is that "hdr" is defined as an unsigned int,
> but then used to offset an array of size 65536, and another of
> size 256 bytes. hdr will actually never be greater than 255
> though, as it's assigned only once and to the value of
> tp->hdr_len, which is an uint8_t. This patch simply gets rid of
> hdr, replacing it with tp->hdr_len, which makes it consistent
> with all other tp member use in the function.
> 
> Signed-off-by: Andrew Jones <drjones@redhat.com>

Applied, thanks.

> ---
>  hw/net/e1000.c | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/hw/net/e1000.c b/hw/net/e1000.c
> index e6f46f0c511e8..eec3e7a4524d1 100644
> --- a/hw/net/e1000.c
> +++ b/hw/net/e1000.c
> @@ -556,7 +556,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>      uint32_t txd_lower = le32_to_cpu(dp->lower.data);
>      uint32_t dtype = txd_lower & (E1000_TXD_CMD_DEXT | E1000_TXD_DTYP_D);
>      unsigned int split_size = txd_lower & 0xffff, bytes, sz, op;
> -    unsigned int msh = 0xfffff, hdr = 0;
> +    unsigned int msh = 0xfffff;
>      uint64_t addr;
>      struct e1000_context_desc *xp = (struct e1000_context_desc *)dp;
>      struct e1000_tx *tp = &s->tx;
> @@ -603,8 +603,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>          
>      addr = le64_to_cpu(dp->buffer_addr);
>      if (tp->tse && tp->cptse) {
> -        hdr = tp->hdr_len;
> -        msh = hdr + tp->mss;
> +        msh = tp->hdr_len + tp->mss;
>          do {
>              bytes = split_size;
>              if (tp->size + bytes > msh)
> @@ -612,14 +611,15 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>  
>              bytes = MIN(sizeof(tp->data) - tp->size, bytes);
>              pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
> -            if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
> -                memmove(tp->header, tp->data, hdr);
> +            if ((sz = tp->size + bytes) >= tp->hdr_len
> +                && tp->size < tp->hdr_len)
> +                memmove(tp->header, tp->data, tp->hdr_len);
>              tp->size = sz;
>              addr += bytes;
>              if (sz == msh) {
>                  xmit_seg(s);
> -                memmove(tp->data, tp->header, hdr);
> -                tp->size = hdr;
> +                memmove(tp->data, tp->header, tp->hdr_len);
> +                tp->size = tp->hdr_len;
>              }
>          } while (split_size -= bytes);
>      } else if (!tp->tse && tp->cptse) {
> @@ -633,7 +633,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>  
>      if (!(txd_lower & E1000_TXD_CMD_EOP))
>          return;
> -    if (!(tp->tse && tp->cptse && tp->size < hdr))
> +    if (!(tp->tse && tp->cptse && tp->size < tp->hdr_len))
>          xmit_seg(s);
>      tp->tso_frames = 0;
>      tp->sum_needed = 0;
> -- 
> 1.8.1.4

     prev parent reply	other threads:[~2013-06-04 11:09 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-03 15:20 [Qemu-devel] [PATCH] e1000: cleanup process_tx_desc Andrew Jones
2013-06-04  7:07 ` Jesse Larrew
2013-06-04  7:34   ` Andrew Jones
2013-06-04  7:54     ` Luigi Rizzo
2013-06-04  8:33     ` Peter Maydell
2013-06-04  8:53       ` Andrew Jones
2013-06-04  8:49 ` [Qemu-devel] [PATCH v2] " Andrew Jones
2013-06-04 11:02   ` Michael S. Tsirkin
2013-06-04 10:58 ` Michael S. Tsirkin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130604105830.GA13194@redhat.com \
    --to=mst@redhat.com \
    --cc=aliguori@us.ibm.com \
    --cc=drjones@redhat.com \
    --cc=jasowang@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).