[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-ove

From: Stefan Weil
Subject: Re: [Qemu-devel] [PATCH 2/2] cadence_gem: avoid stack-writing buffer-overrun
Date: Sun, 10 Jun 2012 22:34:13 +0200
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20120506 Iceowl/1.0b1 Icedove/3.0.11

Am 14.05.2012 06:57, schrieb Peter Crosthwaite:
ACK and Thanks Jim,

Reviewed-by: Peter A.G. Crosthwaite<address@hidden>

On Fri, May 11, 2012 at 2:19 AM, Jim Meyering<address@hidden>  wrote:
From: Jim Meyering<address@hidden>

Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
of bytes to clear.  The latter would always clear 4 or 8
bytes, possibly writing beyond the end of that stack buffer.
Alternatively, depending on the value of the "size" parameter,
it could fail to initialize the end of "rxbuf".
Spotted by coverity.

Signed-off-by: Jim Meyering<address@hidden>
  hw/cadence_gem.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
index e2140ae..dbde392 100644
--- a/hw/cadence_gem.c
+++ b/hw/cadence_gem.c
@@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const 
uint8_t *buf, size_t size)

         memcpy(rxbuf, buf, size);
-        memset(rxbuf + size, 0, sizeof(rxbuf - size));
+        memset(rxbuf + size, 0, sizeof(rxbuf) - size);
         rxbuf_ptr = rxbuf;
         crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
         if (size<  60) {

Ping. This patch is still missing in 1.1 and master.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]