cadence_gem: avoid stack-writing buffer-overrun

Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number of bytes to clear. The latter would always clear 4 or 8 bytes, possibly writing beyond the end of that stack buffer. Alternatively, depending on the value of the "size" parameter, it could fail to initialize the end of "rxbuf". Spotted by coverity. Signed-off-by: Jim Meyering <meyering@redhat.com> Reviewed-by: Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
author: Jim Meyering 2012-05-10 08:19:48 +0200
committer: Peter Maydell 2012-06-19 15:24:44 +0200
commit: 5fbe02e8bb7c62ee55b8edc5fd688c369164c49c (patch)
tree: 35d6f0ee1ff77d4f805034702f7bbe4de40949d9
parent: hw/a9mpcore: Fix compilation failure if physaddrs are 64 bit (diff)
download: qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.tar.gz
qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.tar.xz
qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
index e2140aea2b..dbde3920d0 100644
--- a/hw/cadence_gem.c
+++ b/hw/cadence_gem.c
@@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
          */
 
         memcpy(rxbuf, buf, size);
-        memset(rxbuf + size, 0, sizeof(rxbuf - size));
+        memset(rxbuf + size, 0, sizeof(rxbuf) - size);
         rxbuf_ptr = rxbuf;
         crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
         if (size < 60) {
author	Jim Meyering	2012-05-10 08:19:48 +0200
committer	Peter Maydell	2012-06-19 15:24:44 +0200
commit	5fbe02e8bb7c62ee55b8edc5fd688c369164c49c (patch)
tree	35d6f0ee1ff77d4f805034702f7bbe4de40949d9
parent	hw/a9mpcore: Fix compilation failure if physaddrs are 64 bit (diff)
download	qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.tar.gz qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.tar.xz qemu-5fbe02e8bb7c62ee55b8edc5fd688c369164c49c.zip