Message ID | 1448626105-29540-2-git-send-email-pbonzini@redhat.com |
---|---|
State | New |
Headers | show |
Paolo Bonzini <pbonzini@redhat.com> writes: > In the case of a 4-byte length, shifting a value by 24 may cause > an unintended sign extension when converting from int to size_t. > Use a uint32_t variable instead. > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> For 32 bit ssize_t, lengths > 0x7fffffff go to negative, same as before. *shrug* Reviewed-by: Markus Armbruster <armbru@redhat.com>
27.11.2015 15:08, Paolo Bonzini wrote: > In the case of a 4-byte length, shifting a value by 24 may cause > an unintended sign extension when converting from int to size_t. > Use a uint32_t variable instead. Applied to -trivial, thank you! /mjt
diff --git a/hw/bt/sdp.c b/hw/bt/sdp.c index b9bcdcc..04eaeca 100644 --- a/hw/bt/sdp.c +++ b/hw/bt/sdp.c @@ -42,7 +42,7 @@ struct bt_l2cap_sdp_state_s { static ssize_t sdp_datalen(const uint8_t **element, ssize_t *left) { - size_t len = *(*element) ++ & SDP_DSIZE_MASK; + uint32_t len = *(*element) ++ & SDP_DSIZE_MASK; if (!*left) return -1;
In the case of a 4-byte length, shifting a value by 24 may cause an unintended sign extension when converting from int to size_t. Use a uint32_t variable instead. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- hw/bt/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)