ACK and Thanks Jim, Reviewed-by: Peter A.G. Crosthwaite <peter.crosthwa...@petalogix.com>
On Fri, May 11, 2012 at 2:19 AM, Jim Meyering <j...@meyering.net> wrote: > From: Jim Meyering <meyer...@redhat.com> > > Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number > of bytes to clear. The latter would always clear 4 or 8 > bytes, possibly writing beyond the end of that stack buffer. > Alternatively, depending on the value of the "size" parameter, > it could fail to initialize the end of "rxbuf". > Spotted by coverity. > > Signed-off-by: Jim Meyering <meyer...@redhat.com> > --- > hw/cadence_gem.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c > index e2140ae..dbde392 100644 > --- a/hw/cadence_gem.c > +++ b/hw/cadence_gem.c > @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const > uint8_t *buf, size_t size) > */ > > memcpy(rxbuf, buf, size); > - memset(rxbuf + size, 0, sizeof(rxbuf - size)); > + memset(rxbuf + size, 0, sizeof(rxbuf) - size); > rxbuf_ptr = rxbuf; > crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60))); > if (size < 60) { > -- > 1.7.10.1.487.ga3935e6 >