From: Darren Jenkins <[email protected]>
Coverity found an over-run @ line 364 of efi.c
This is due to the loop checking the size correctly, then adding a '\0'
after possibly hitting the end of the array.
The patch below just ensures the loop exits with one space left in the
array.
Compile tested.
Signed-off-by: Darren Jenkins <[email protected]>
Signed-off-by: Adrian Bunk <[email protected]>
---
This patch was sent by Darren Jenkins on:
- 08 Mar 2006
--- linux-2.6.16-rc5/arch/i386/kernel/efi.c.orig 2006-03-08 12:31:14.000000000 +1100
+++ linux-2.6.16-rc5/arch/i386/kernel/efi.c 2006-03-08 12:37:59.000000000 +1100
@@ -359,7 +359,7 @@ void __init efi_init(void)
*/
c16 = (efi_char16_t *) boot_ioremap(efi.systab->fw_vendor, 2);
if (c16) {
- for (i = 0; i < sizeof(vendor) && *c16; ++i)
+ for (i = 0; i < (sizeof(vendor) - 1) && *c16; ++i)
vendor[i] = *c16++;
vendor[i] = '\0';
} else
>- for (i = 0; i < sizeof(vendor) && *c16; ++i)
>+ for (i = 0; i < (sizeof(vendor) - 1) && *c16; ++i)
for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
Should suffice.
Jan Engelhardt
--
On Sat, Mar 25, 2006 at 07:41:56PM +0100, Jan Engelhardt wrote:
>
> >- for (i = 0; i < sizeof(vendor) && *c16; ++i)
> >+ for (i = 0; i < (sizeof(vendor) - 1) && *c16; ++i)
>
> for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
> Should suffice.
That's irrelevant.
The important question is readability.
> Jan Engelhardt
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Sat, 2006-03-25 at 19:41 +0100, Jan Engelhardt wrote:
> >- for (i = 0; i < sizeof(vendor) && *c16; ++i)
> >+ for (i = 0; i < (sizeof(vendor) - 1) && *c16; ++i)
>
> for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
> Should suffice.
>
>
> Jan Engelhardt
OK since it is preferred without the brackets, here it is again.
Coverity found an over-run @ line 364 of efi.c
This is due to the loop checking the size correctly, then adding a '\0'
after possibly hitting the end of the array.
The patch below just ensures the loop exits with one space left in the
array.
Compile tested.
Signed-off-by: Darren Jenkins <[email protected]>
--- linux-2.6.16-git8/arch/i386/kernel/efi.c.orig 2006-03-26 12:06:47.000000000 +1000
+++ linux-2.6.16-git8/arch/i386/kernel/efi.c 2006-03-26 12:08:34.000000000 +1000
@@ -361,7 +361,7 @@ void __init efi_init(void)
*/
c16 = (efi_char16_t *) boot_ioremap(efi.systab->fw_vendor, 2);
if (c16) {
- for (i = 0; i < sizeof(vendor) && *c16; ++i)
+ for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
vendor[i] = *c16++;
vendor[i] = '\0';
} else