From patchwork Tue Jun 25 15:40:52 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Michael S. Tsirkin" X-Patchwork-Id: 254202 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 9799C2C008A for ; Wed, 26 Jun 2013 01:43:01 +1000 (EST) Received: from localhost ([::1]:56722 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UrVOV-0004VE-FS for incoming@patchwork.ozlabs.org; Tue, 25 Jun 2013 11:42:59 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33389) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UrVM2-0001Ys-AF for qemu-devel@nongnu.org; Tue, 25 Jun 2013 11:40:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UrVLv-0001py-6x for qemu-devel@nongnu.org; Tue, 25 Jun 2013 11:40:26 -0400 Received: from mx1.redhat.com ([209.132.183.28]:28550) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UrVLu-0001pi-Uz for qemu-devel@nongnu.org; Tue, 25 Jun 2013 11:40:19 -0400 Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r5PFeHSG007582 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 25 Jun 2013 11:40:17 -0400 Received: from redhat.com (vpn1-6-38.ams2.redhat.com [10.36.6.38]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with SMTP id r5PFe21K029992; Tue, 25 Jun 2013 11:40:04 -0400 Date: Tue, 25 Jun 2013 18:40:52 +0300 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org Message-ID: <1372174719-6564-6-git-send-email-mst@redhat.com> References: <1372174719-6564-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1372174719-6564-1-git-send-email-mst@redhat.com> X-Mutt-Fcc: =sent X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Jason Wang , Paolo Bonzini , Andrew Jones , Anthony Liguori , Stefan Hajnoczi Subject: [Qemu-devel] [PULL v2 05/21] e1000: cleanup process_tx_desc X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Andrew Jones Coverity complains about two overruns in process_tx_desc(). The complaints are false positives, but we might as well eliminate them. The problem is that "hdr" is defined as an unsigned int, but then used to offset an array of size 65536, and another of size 256 bytes. hdr will actually never be greater than 255 though, as it's assigned only once and to the value of tp->hdr_len, which is an uint8_t. This patch simply gets rid of hdr, replacing it with tp->hdr_len, which makes it consistent with all other tp member use in the function. v2: - also cleanup coding style issues in the touched lines Signed-off-by: Andrew Jones Signed-off-by: Michael S. Tsirkin --- hw/net/e1000.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index e6f46f0..620f947 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -556,7 +556,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) uint32_t txd_lower = le32_to_cpu(dp->lower.data); uint32_t dtype = txd_lower & (E1000_TXD_CMD_DEXT | E1000_TXD_DTYP_D); unsigned int split_size = txd_lower & 0xffff, bytes, sz, op; - unsigned int msh = 0xfffff, hdr = 0; + unsigned int msh = 0xfffff; uint64_t addr; struct e1000_context_desc *xp = (struct e1000_context_desc *)dp; struct e1000_tx *tp = &s->tx; @@ -603,8 +603,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) addr = le64_to_cpu(dp->buffer_addr); if (tp->tse && tp->cptse) { - hdr = tp->hdr_len; - msh = hdr + tp->mss; + msh = tp->hdr_len + tp->mss; do { bytes = split_size; if (tp->size + bytes > msh) @@ -612,14 +611,16 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) bytes = MIN(sizeof(tp->data) - tp->size, bytes); pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes); - if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) - memmove(tp->header, tp->data, hdr); + sz = tp->size + bytes; + if (sz >= tp->hdr_len && tp->size < tp->hdr_len) { + memmove(tp->header, tp->data, tp->hdr_len); + } tp->size = sz; addr += bytes; if (sz == msh) { xmit_seg(s); - memmove(tp->data, tp->header, hdr); - tp->size = hdr; + memmove(tp->data, tp->header, tp->hdr_len); + tp->size = tp->hdr_len; } } while (split_size -= bytes); } else if (!tp->tse && tp->cptse) { @@ -633,8 +634,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) if (!(txd_lower & E1000_TXD_CMD_EOP)) return; - if (!(tp->tse && tp->cptse && tp->size < hdr)) + if (!(tp->tse && tp->cptse && tp->size < tp->hdr_len)) { xmit_seg(s); + } tp->tso_frames = 0; tp->sum_needed = 0; tp->vlan_needed = 0;