cadence_gem: avoid stack-writing buffer-overrun

Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
of bytes to clear.  The latter would always clear 4 or 8
bytes, possibly writing beyond the end of that stack buffer.
Alternatively, depending on the value of the "size" parameter,
it could fail to initialize the end of "rxbuf".
Spotted by coverity.

Signed-off-by: Jim Meyering <meyering@redhat.com>
Reviewed-by: Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Jim Meyering 2012-05-10 06:19:48 +00:00 committed by Peter Maydell
parent c97338dca0
commit 5fbe02e8bb

View File

@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
*/ */
memcpy(rxbuf, buf, size); memcpy(rxbuf, buf, size);
memset(rxbuf + size, 0, sizeof(rxbuf - size)); memset(rxbuf + size, 0, sizeof(rxbuf) - size);
rxbuf_ptr = rxbuf; rxbuf_ptr = rxbuf;
crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60))); crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
if (size < 60) { if (size < 60) {