[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-trivial] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun
From: |
Peter A. G. Crosthwaite |
Subject: |
[Qemu-trivial] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun |
Date: |
Tue, 19 Jun 2012 16:44:38 +1000 |
From: Jim Meyering <address@hidden>
Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
of bytes to clear. The latter would always clear 4 or 8
bytes, possibly writing beyond the end of that stack buffer.
Alternatively, depending on the value of the "size" parameter,
it could fail to initialize the end of "rxbuf".
Spotted by coverity.
Signed-off-by: Jim Meyering <address@hidden>
Signed-off-by: Peter A. G. Crosthwaite <address@hidden>
---
hw/cadence_gem.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
index e2140ae..dbde392 100644
--- a/hw/cadence_gem.c
+++ b/hw/cadence_gem.c
@@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const
uint8_t *buf, size_t size)
*/
memcpy(rxbuf, buf, size);
- memset(rxbuf + size, 0, sizeof(rxbuf - size));
+ memset(rxbuf + size, 0, sizeof(rxbuf) - size);
rxbuf_ptr = rxbuf;
crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
if (size < 60) {
--
1.7.3.2
- [Qemu-trivial] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun,
Peter A. G. Crosthwaite <=