On 2020/11/11 上午5:52, Pavel Pisa wrote:
Credit for finding and fixes goes to Peter Maydell
This patchset fixes a couple of issues spotted by Coverity:
* incorrect address checks meant the guest could write off the
end of the tx_buffer arrays
* we had an unused value in ctucan_send_ready_buffers()
and also some I noticed while reading the code:
* we don't adjust the device's non-portable use of bitfields
on bigendian hosts
* we should use stl_le_p() rather than casting uint_t* to
uint32_t*
Tested with "make check" only.
Changes v1->v2: don't assert() the can't-happen case in patch 1,
to allow for future adjustment of #defines that correspond to
h/w synthesis parameters.
Changes v2->v3: minnor corrections of range checking,
support for unaligned and partial word writes into Tx
buffers. Tested on x86_64 guest on x86_64 host and bige-edian
MIPS guest on x86_64 host Pavel Pisa.
Peter Maydell (4):
hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer
hw/net/can/ctucan: Avoid unused value in ctucan_send_ready_buffers()
hw/net/can/ctucan_core: Handle big-endian hosts
hw/net/can/ctucan_core: Use stl_le_p to write to tx_buffers
hw/net/can/ctucan_core.c | 23 +++++++----------------
hw/net/can/ctucan_core.h | 3 +--
2 files changed, 8 insertions(+), 18 deletions(-)
Applied.
Thanks
