|
|
5544c1 |
From 8557d38b8d660d07c7b6fd1bfa62182cc6c52400 Mon Sep 17 00:00:00 2001
|
|
|
5544c1 |
From: Stefan Weil <sw@weilnetz.de>
|
|
|
5544c1 |
Date: Mon, 3 Sep 2012 22:13:56 +0200
|
|
|
5544c1 |
Subject: [PATCH] ide: Fix error messages from static code analysis (no real
|
|
|
5544c1 |
error)
|
|
|
5544c1 |
|
|
|
5544c1 |
Report from smatch:
|
|
|
5544c1 |
hw/ide/core.c:1472 ide_exec_cmd(423) error: buffer overflow 'smart_attributes' 8 <= 29
|
|
|
5544c1 |
hw/ide/core.c:1474 ide_exec_cmd(425) error: buffer overflow 'smart_attributes' 8 <= 29
|
|
|
5544c1 |
hw/ide/core.c:1475 ide_exec_cmd(426) error: buffer overflow 'smart_attributes' 8 <= 29
|
|
|
5544c1 |
...
|
|
|
5544c1 |
|
|
|
5544c1 |
The upper limit of 30 was never reached because both for loops terminated
|
|
|
5544c1 |
when 'smart_attributes' reached end of list, so there was no real buffer
|
|
|
5544c1 |
overflow.
|
|
|
5544c1 |
|
|
|
5544c1 |
Nevertheless, changing the code not only fixes the error report, but also
|
|
|
5544c1 |
reduces the size of smart_attributes and simplifies the for loops.
|
|
|
5544c1 |
|
|
|
5544c1 |
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
|
5544c1 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
5544c1 |
(cherry picked from commit 1e53537fdaa4657d11f130a0f2673fcfb1956381)
|
|
|
5544c1 |
|
|
|
5544c1 |
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
|
5544c1 |
---
|
|
|
5544c1 |
hw/ide/core.c | 11 ++---------
|
|
|
5544c1 |
1 file changed, 2 insertions(+), 9 deletions(-)
|
|
|
5544c1 |
|
|
|
5544c1 |
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
|
|
5544c1 |
index d65ef3d..d6fb69c 100644
|
|
|
5544c1 |
--- a/hw/ide/core.c
|
|
|
5544c1 |
+++ b/hw/ide/core.c
|
|
|
5544c1 |
@@ -53,8 +53,6 @@ static const int smart_attributes[][12] = {
|
|
|
5544c1 |
{ 0x0c, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
|
|
5544c1 |
/* airflow-temperature-celsius */
|
|
|
5544c1 |
{ 190, 0x03, 0x00, 0x45, 0x45, 0x1f, 0x00, 0x1f, 0x1f, 0x00, 0x00, 0x32},
|
|
|
5544c1 |
- /* end of list */
|
|
|
5544c1 |
- { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
|
|
|
5544c1 |
};
|
|
|
5544c1 |
|
|
|
5544c1 |
static int ide_handle_rw_error(IDEState *s, int error, int op);
|
|
|
5544c1 |
@@ -1468,9 +1466,7 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
|
|
|
5544c1 |
case SMART_READ_THRESH:
|
|
|
5544c1 |
memset(s->io_buffer, 0, 0x200);
|
|
|
5544c1 |
s->io_buffer[0] = 0x01; /* smart struct version */
|
|
|
5544c1 |
- for (n=0; n<30; n++) {
|
|
|
5544c1 |
- if (smart_attributes[n][0] == 0)
|
|
|
5544c1 |
- break;
|
|
|
5544c1 |
+ for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
|
|
|
5544c1 |
s->io_buffer[2+0+(n*12)] = smart_attributes[n][0];
|
|
|
5544c1 |
s->io_buffer[2+1+(n*12)] = smart_attributes[n][11];
|
|
|
5544c1 |
}
|
|
|
5544c1 |
@@ -1484,10 +1480,7 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
|
|
|
5544c1 |
case SMART_READ_DATA:
|
|
|
5544c1 |
memset(s->io_buffer, 0, 0x200);
|
|
|
5544c1 |
s->io_buffer[0] = 0x01; /* smart struct version */
|
|
|
5544c1 |
- for (n=0; n<30; n++) {
|
|
|
5544c1 |
- if (smart_attributes[n][0] == 0) {
|
|
|
5544c1 |
- break;
|
|
|
5544c1 |
- }
|
|
|
5544c1 |
+ for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
|
|
|
5544c1 |
int i;
|
|
|
5544c1 |
for(i = 0; i < 11; i++) {
|
|
|
5544c1 |
s->io_buffer[2+i+(n*12)] = smart_attributes[n][i];
|
|
|
5544c1 |
--
|
|
|
5544c1 |
1.7.12.1
|
|
|
5544c1 |
|