cadence_gem: avoid stack-writing buffer-overrun

Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number of bytes to clear. The latter would always clear 4 or 8 bytes, possibly writing beyond the end of that stack buffer. Alternatively, depending on the value of the "size" parameter, it could fail to initialize the end of "rxbuf". Spotted by coverity. Signed-off-by: N Jim Meyering <meyering@redhat.com> Reviewed-by: N Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com> Signed-off-by: N Peter Maydell <peter.maydell@linaro.org>

cadence_gem: avoid stack-writing buffer-overrun
Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number of bytes to clear. The latter would always clear 4 or 8 bytes, possibly writing beyond the end of that stack buffer. Alternatively, depending on the value of the "size" parameter, it could fail to initialize the end of "rxbuf". Spotted by coverity. Signed-off-by: N Jim Meyering <meyering@redhat.com> Reviewed-by: N Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com> Signed-off-by: N Peter Maydell <peter.maydell@linaro.org>
5fbe02e8 · Jim Meyering · Peter Maydell · c97338dc · 5fbe02e8
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

hw/cadence_gem.c hw/cadence_gem.c +1 -1

未找到文件。
--- a/hw/cadence_gem.c
+++ b/hw/cadence_gem.c
@@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
         */

        memcpy(rxbuf, buf, size);
-        memset(rxbuf + size, 0, sizeof(rxbuf - size));
+        memset(rxbuf + size, 0, sizeof(rxbuf) - size);
        rxbuf_ptr = rxbuf;
        crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
        if (size < 60) {