Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write

Tue, 04 Sep 2012 11:12:30 -0700 

Am 04.09.2012 19:57, schrieb Peter Maydell:

On 4 September 2012 18:37, Stefan Weil <s...@weilnetz.de> wrote:

Report from smatch:

mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 
<= 128
mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 
<= 128
mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 
<= 128
mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 
<= 128
mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 
<= 128
mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 
<= 128

m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.

Signed-off-by: Stefan Weil <s...@weilnetz.de>

Checked against the data sheet -- last documented register is at offset $1F0,
so correcting the offset check rather than the array length is the correct
fix.

Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>

-- PMM


Then m5206_mbar_width should be shortened to 124 elements
(0x1f0 / 4) _and_ the offset check needs a correction.

-- sw

Reply via email to