From patchwork Tue Jun 19 06:44:38 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Peter A. G. Crosthwaite" X-Patchwork-Id: 165659 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id D64B2B7012 for ; Tue, 19 Jun 2012 16:34:49 +1000 (EST) Received: from localhost ([::1]:51735 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Sgs1W-0002F1-5c for incoming@patchwork.ozlabs.org; Tue, 19 Jun 2012 02:34:46 -0400 Received: from eggs.gnu.org ([208.118.235.92]:43353) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Sgs1O-0002Ea-CV for qemu-devel@nongnu.org; Tue, 19 Jun 2012 02:34:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Sgs1M-0004Uz-KV for qemu-devel@nongnu.org; Tue, 19 Jun 2012 02:34:37 -0400 Received: from mail-pz0-f45.google.com ([209.85.210.45]:36586) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Sgs1M-0004Ud-Dy for qemu-devel@nongnu.org; Tue, 19 Jun 2012 02:34:36 -0400 Received: by dadn2 with SMTP id n2so7413520dad.4 for ; Mon, 18 Jun 2012 23:34:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer:x-gm-message-state; bh=vvdZ7nU778560u7iuscZPUziuKVOQU7RWmNhkhGaWQU=; b=ZTd5r8o3FbEw0dxDU9Y+Fb6kQLfUvqykpTQ/kvJQuLhWE3b5CpSHdyHYrWrV+3gntw eAvbF8eGQq+2yDgCe5rqpprSIWyNB/drRkTZdmdickFAy66JlwHoq7iy/SXlTDooS0KH PMxEnF0Noe+X3m3VoqXZo1a80CAG24xGBPgjfKezmoi7CgOSIBwzutIWP5Svl+dnQ1AH gIOYGjbkis6jLe3D2wMjUuwnuggEld8/hGoy2MUS7eqAGtSqYhcbWm7KWEEXfJsPFltM QZEJbUPEISAIO2Z+P5YBru/c4viOCjsHQUw1ZjRthcNuB0gvCkRvL3HpcjZrVvpRuq/0 u8fA== Received: by 10.68.217.40 with SMTP id ov8mr60432553pbc.131.1340087673751; Mon, 18 Jun 2012 23:34:33 -0700 (PDT) Received: from localhost ([124.148.20.9]) by mx.google.com with ESMTPS id of1sm26745415pbb.15.2012.06.18.23.34.30 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Jun 2012 23:34:32 -0700 (PDT) From: "Peter A. G. Crosthwaite" To: qemu-trivial@nongnu.org, qemu-devel@nongnu.org Date: Tue, 19 Jun 2012 16:44:38 +1000 Message-Id: <1340088278-8406-1-git-send-email-peter.crosthwaite@petalogix.com> X-Mailer: git-send-email 1.7.3.2 X-Gm-Message-State: ALoCoQk7GDLupYIFqPC4d5PZivqSTuqQFbDNzbs0al3dO96IZEnhQhnYZnn+f/DKc12lJxErLrc/ X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.85.210.45 Cc: Jim Meyering , "Peter A. G. Crosthwaite" Subject: [Qemu-devel] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Jim Meyering Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number of bytes to clear. The latter would always clear 4 or 8 bytes, possibly writing beyond the end of that stack buffer. Alternatively, depending on the value of the "size" parameter, it could fail to initialize the end of "rxbuf". Spotted by coverity. Signed-off-by: Jim Meyering Signed-off-by: Peter A. G. Crosthwaite --- hw/cadence_gem.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c index e2140ae..dbde392 100644 --- a/hw/cadence_gem.c +++ b/hw/cadence_gem.c @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size) */ memcpy(rxbuf, buf, size); - memset(rxbuf + size, 0, sizeof(rxbuf - size)); + memset(rxbuf + size, 0, sizeof(rxbuf) - size); rxbuf_ptr = rxbuf; crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60))); if (size < 60) {