diff mbox

[for-2.5] bt: avoid unintended sign extension

Message ID 1448626105-29540-2-git-send-email-pbonzini@redhat.com
State New
Headers show

Commit Message

Paolo Bonzini Nov. 27, 2015, 12:08 p.m. UTC 
In the case of a 4-byte length, shifting a value by 24 may cause
an unintended sign extension when converting from int to size_t.
Use a uint32_t variable instead.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/bt/sdp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Markus Armbruster Nov. 27, 2015, 2:36 p.m. UTC | #1 
Paolo Bonzini <pbonzini@redhat.com> writes:

> In the case of a 4-byte length, shifting a value by 24 may cause
> an unintended sign extension when converting from int to size_t.
> Use a uint32_t variable instead.
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

For 32 bit ssize_t, lengths > 0x7fffffff go to negative, same as before.
*shrug*

Reviewed-by: Markus Armbruster <armbru@redhat.com>
Michael Tokarev Nov. 29, 2015, 10:37 a.m. UTC | #2 
27.11.2015 15:08, Paolo Bonzini wrote:
> In the case of a 4-byte length, shifting a value by 24 may cause
> an unintended sign extension when converting from int to size_t.
> Use a uint32_t variable instead.

Applied to -trivial, thank you!

/mjt
diff mbox

Patch

diff --git a/hw/bt/sdp.c b/hw/bt/sdp.c
index b9bcdcc..04eaeca 100644
--- a/hw/bt/sdp.c
+++ b/hw/bt/sdp.c
@@ -42,7 +42,7 @@  struct bt_l2cap_sdp_state_s {
 
 static ssize_t sdp_datalen(const uint8_t **element, ssize_t *left)
 {
-    size_t len = *(*element) ++ & SDP_DSIZE_MASK;
+    uint32_t len = *(*element) ++ & SDP_DSIZE_MASK;
 
     if (!*left)
         return -1;