peterdelevoryas / rpms / qemu

Forked from rpms/qemu 2 years ago
Clone

Blame 0162-ide-Fix-error-messages-from-static-code-analysis-no-.patch

5544c1
From 8557d38b8d660d07c7b6fd1bfa62182cc6c52400 Mon Sep 17 00:00:00 2001
5544c1
From: Stefan Weil <sw@weilnetz.de>
5544c1
Date: Mon, 3 Sep 2012 22:13:56 +0200
5544c1
Subject: [PATCH] ide: Fix error messages from static code analysis (no real
5544c1
 error)
5544c1
5544c1
Report from smatch:
5544c1
hw/ide/core.c:1472 ide_exec_cmd(423) error: buffer overflow 'smart_attributes' 8 <= 29
5544c1
hw/ide/core.c:1474 ide_exec_cmd(425) error: buffer overflow 'smart_attributes' 8 <= 29
5544c1
hw/ide/core.c:1475 ide_exec_cmd(426) error: buffer overflow 'smart_attributes' 8 <= 29
5544c1
...
5544c1
5544c1
The upper limit of 30 was never reached because both for loops terminated
5544c1
when 'smart_attributes' reached end of list, so there was no real buffer
5544c1
overflow.
5544c1
5544c1
Nevertheless, changing the code not only fixes the error report, but also
5544c1
reduces the size of smart_attributes and simplifies the for loops.
5544c1
5544c1
Signed-off-by: Stefan Weil <sw@weilnetz.de>
5544c1
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5544c1
(cherry picked from commit 1e53537fdaa4657d11f130a0f2673fcfb1956381)
5544c1
5544c1
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
5544c1
---
5544c1
 hw/ide/core.c | 11 ++---------
5544c1
 1 file changed, 2 insertions(+), 9 deletions(-)
5544c1
5544c1
diff --git a/hw/ide/core.c b/hw/ide/core.c
5544c1
index d65ef3d..d6fb69c 100644
5544c1
--- a/hw/ide/core.c
5544c1
+++ b/hw/ide/core.c
5544c1
@@ -53,8 +53,6 @@ static const int smart_attributes[][12] = {
5544c1
     { 0x0c, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
5544c1
     /* airflow-temperature-celsius */
5544c1
     { 190,  0x03, 0x00, 0x45, 0x45, 0x1f, 0x00, 0x1f, 0x1f, 0x00, 0x00, 0x32},
5544c1
-    /* end of list */
5544c1
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
5544c1
 };
5544c1
 
5544c1
 static int ide_handle_rw_error(IDEState *s, int error, int op);
5544c1
@@ -1468,9 +1466,7 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
5544c1
 	case SMART_READ_THRESH:
5544c1
 		memset(s->io_buffer, 0, 0x200);
5544c1
 		s->io_buffer[0] = 0x01; /* smart struct version */
5544c1
-		for (n=0; n<30; n++) {
5544c1
-		if (smart_attributes[n][0] == 0)
5544c1
-			break;
5544c1
+		for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
5544c1
 		s->io_buffer[2+0+(n*12)] = smart_attributes[n][0];
5544c1
 		s->io_buffer[2+1+(n*12)] = smart_attributes[n][11];
5544c1
 		}
5544c1
@@ -1484,10 +1480,7 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
5544c1
 	case SMART_READ_DATA:
5544c1
 		memset(s->io_buffer, 0, 0x200);
5544c1
 		s->io_buffer[0] = 0x01; /* smart struct version */
5544c1
-		for (n=0; n<30; n++) {
5544c1
-		    if (smart_attributes[n][0] == 0) {
5544c1
-			break;
5544c1
-		    }
5544c1
+		for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
5544c1
 		    int i;
5544c1
 		    for(i = 0; i < 11; i++) {
5544c1
 			s->io_buffer[2+i+(n*12)] = smart_attributes[n][i];
5544c1
-- 
5544c1
1.7.12.1
5544c1