From 5fbe02e8bb7c62ee55b8edc5fd688c369164c49c Mon Sep 17 00:00:00 2001
From: Jim Meyering
Date: Thu, 10 May 2012 06:19:48 +0000
Subject: cadence_gem: avoid stack-writing buffer-overrun

Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
of bytes to clear.  The latter would always clear 4 or 8
bytes, possibly writing beyond the end of that stack buffer.
Alternatively, depending on the value of the "size" parameter,
it could fail to initialize the end of "rxbuf".
Spotted by coverity.

Signed-off-by: Jim Meyering <meyering@redhat.com>
Reviewed-by: Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/cadence_gem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'hw/cadence_gem.c')

diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
index e2140aea2b..dbde3920d0 100644
--- a/hw/cadence_gem.c
+++ b/hw/cadence_gem.c
@@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
          */
 
         memcpy(rxbuf, buf, size);
-        memset(rxbuf + size, 0, sizeof(rxbuf - size));
+        memset(rxbuf + size, 0, sizeof(rxbuf) - size);
         rxbuf_ptr = rxbuf;
         crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
         if (size < 60) {
-- 
cgit v1.2.3-55-g7522