Credit for finding and fixes goes to Peter Maydell This patchset fixes a couple of issues spotted by Coverity: * incorrect address checks meant the guest could write off the end of the tx_buffer arrays * we had an unused value in ctucan_send_ready_buffers() and also some I noticed while reading the code: * we don't adjust the device's non-portable use of bitfields on bigendian hosts * we should use stl_le_p() rather than casting uint_t* to uint32_t*
Tested with "make check" only. Changes v1->v2: don't assert() the can't-happen case in patch 1, to allow for future adjustment of #defines that correspond to h/w synthesis parameters. Changes v2->v3: minnor corrections of range checking, support for unaligned and partial word writes into Tx buffers. Tested on x86_64 guest on x86_64 host and bige-edian MIPS guest on x86_64 host Pavel Pisa. Peter Maydell (4): hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer hw/net/can/ctucan: Avoid unused value in ctucan_send_ready_buffers() hw/net/can/ctucan_core: Handle big-endian hosts hw/net/can/ctucan_core: Use stl_le_p to write to tx_buffers hw/net/can/ctucan_core.c | 23 +++++++---------------- hw/net/can/ctucan_core.h | 3 +-- 2 files changed, 8 insertions(+), 18 deletions(-) -- 2.20.1
