diff options
| author | Jim Meyering <meyering@redhat.com> | 2012-05-10 06:19:48 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2012-06-19 13:24:44 +0000 |
| commit | 5fbe02e8bb7c62ee55b8edc5fd688c369164c49c (patch) | |
| tree | 35d6f0ee1ff77d4f805034702f7bbe4de40949d9 /hw/cadence_gem.c | |
| parent | c97338dca0197abad7f0c789ad61d45940f67011 (diff) | |
| download | qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.tar.gz qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.tar.bz2 qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.zip | |
cadence_gem: avoid stack-writing buffer-overrun
Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
of bytes to clear. The latter would always clear 4 or 8
bytes, possibly writing beyond the end of that stack buffer.
Alternatively, depending on the value of the "size" parameter,
it could fail to initialize the end of "rxbuf".
Spotted by coverity.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Reviewed-by: Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/cadence_gem.c')
| -rw-r--r-- | hw/cadence_gem.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c index e2140aea2b..dbde3920d0 100644 --- a/hw/cadence_gem.c +++ b/hw/cadence_gem.c @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size) */ memcpy(rxbuf, buf, size); - memset(rxbuf + size, 0, sizeof(rxbuf - size)); + memset(rxbuf + size, 0, sizeof(rxbuf) - size); rxbuf_ptr = rxbuf; crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60))); if (size < 60) { |