Re: [Qemu-devel] [PULL v2 22/45] ipmi: introduce a struct ipmi_sdr_compact

[Cédric Le Goater]

On 02/16/2016 08:45 AM, Paolo Bonzini wrote:
> 
> 
> On 06/02/2016 20:13, Michael S. Tsirkin wrote:
>>  
>> -        if (sdr[7] > MAX_SENSORS) {
>> +        if (sdr->sensor_owner_number > MAX_SENSORS) {
> 
> This is another off-by-one, it should have been >=.  Same for all these
> occurrences later in the same file:
> 
> hw/ipmi/ipmi_bmc_sim.c:    if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c:    if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c:    if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c:    if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c:    if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c:    if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c:    if ((cmd[2] > MAX_SENSORS) ||


I missed that. Here is a patch.

Thanks,

C.


From: Cédric Le Goater <address@hidden>
Subject: [PATCH] ipmi: sensor number should not exceed MAX_SENSORS
Date: Tue, 16 Feb 2016 09:05:44 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Cédric Le Goater <address@hidden>
---
 hw/ipmi/ipmi_bmc_sim.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Index: qemu-powernv.git/hw/ipmi/ipmi_bmc_sim.c
===================================================================
--- qemu-powernv.git.orig/hw/ipmi/ipmi_bmc_sim.c
+++ qemu-powernv.git/hw/ipmi/ipmi_bmc_sim.c
@@ -536,7 +536,7 @@ static void ipmi_init_sensors_from_sdrs(
             continue; /* Not a sensor SDR we set from */
         }
 
-        if (sdr->sensor_owner_number > MAX_SENSORS) {
+        if (sdr->sensor_owner_number >= MAX_SENSORS) {
             continue;
         }
         sens = s->sensors + sdr->sensor_owner_number;
@@ -1448,7 +1448,7 @@ static void set_sensor_evt_enable(IPMIBm
     IPMISensor *sens;
 
     IPMI_CHECK_CMD_LEN(4);
-    if ((cmd[2] > MAX_SENSORS) ||
+    if ((cmd[2] >= MAX_SENSORS) ||
             !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
         rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
         return;
@@ -1500,7 +1500,7 @@ static void get_sensor_evt_enable(IPMIBm
     IPMISensor *sens;
 
     IPMI_CHECK_CMD_LEN(3);
-    if ((cmd[2] > MAX_SENSORS) ||
+    if ((cmd[2] >= MAX_SENSORS) ||
         !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
         rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
         return;
@@ -1521,7 +1521,7 @@ static void rearm_sensor_evts(IPMIBmcSim
     IPMISensor *sens;
 
     IPMI_CHECK_CMD_LEN(4);
-    if ((cmd[2] > MAX_SENSORS) ||
+    if ((cmd[2] >= MAX_SENSORS) ||
         !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
         rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
         return;
@@ -1543,7 +1543,7 @@ static void get_sensor_evt_status(IPMIBm
     IPMISensor *sens;
 
     IPMI_CHECK_CMD_LEN(3);
-    if ((cmd[2] > MAX_SENSORS) ||
+    if ((cmd[2] >= MAX_SENSORS) ||
         !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
         rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
         return;
@@ -1565,7 +1565,7 @@ static void get_sensor_reading(IPMIBmcSi
     IPMISensor *sens;
 
     IPMI_CHECK_CMD_LEN(3);
-    if ((cmd[2] > MAX_SENSORS) ||
+    if ((cmd[2] >= MAX_SENSORS) ||
             !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
         rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
         return;
@@ -1588,7 +1588,7 @@ static void set_sensor_type(IPMIBmcSim *
 
 
     IPMI_CHECK_CMD_LEN(5);
-    if ((cmd[2] > MAX_SENSORS) ||
+    if ((cmd[2] >= MAX_SENSORS) ||
             !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
         rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
         return;
@@ -1607,7 +1607,7 @@ static void get_sensor_type(IPMIBmcSim *
 
 
     IPMI_CHECK_CMD_LEN(3);
-    if ((cmd[2] > MAX_SENSORS) ||
+    if ((cmd[2] >= MAX_SENSORS) ||
             !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
         rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
         return;