The Coverity checker found the following:
<-- snip -->
...
static int at1700_ioaddr_pattern[] __initdata = {
0x00, 0x04, 0x01, 0x05, 0x02, 0x06, 0x03, 0x07
};
...
static int __init at1700_probe1(struct net_device *dev, int ioaddr)
{
...
for (l_i = 0; l_i < 0x09; l_i++)
if (( pos3 & 0x07) == at1700_ioaddr_pattern[l_i])
break;
ioaddr = at1700_mca_probe_list[l_i];
...
}
...
<-- snip -->
This can result in indexing in an array with 8 entries the 10th entry.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Adrian> This can result in indexing in an array with 8 entries the
Adrian> 10th entry.
Well, not really, since the first 8 entries of the array have every
3-bit pattern. So pos3 & 0x07 will always match one of them.
I agree it would be cleaner to make the loop only go up to 7 though.
- R.
On Fri, Mar 25, 2005 at 10:42:11AM -0800, Roland Dreier wrote:
> Adrian> This can result in indexing in an array with 8 entries the
> Adrian> 10th entry.
>
> Well, not really, since the first 8 entries of the array have every
> 3-bit pattern. So pos3 & 0x07 will always match one of them.
>
> I agree it would be cleaner to make the loop only go up to 7 though.
You either have this (impossible) overflow, or the case l_i == 7 isn't
tested explicitely.
I'd say simply leave it as it is now.
But if noone disagrees, I'm inclined to add a comment.
> - R.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Fri, 25 Mar 2005, Adrian Bunk wrote:
> Date: Fri, 25 Mar 2005 21:38:20 +0100
> From: Adrian Bunk <[email protected]>
> To: Roland Dreier <[email protected]>
> Cc: [email protected], [email protected],
> [email protected]
> Subject: Re: drivers/net/at1700.c: at1700_probe1: array overflow
>
> On Fri, Mar 25, 2005 at 10:42:11AM -0800, Roland Dreier wrote:
> > Adrian> This can result in indexing in an array with 8 entries the
> > Adrian> 10th entry.
> >
> > Well, not really, since the first 8 entries of the array have every
> > 3-bit pattern. So pos3 & 0x07 will always match one of them.
> >
> > I agree it would be cleaner to make the loop only go up to 7 though.
>
> You either have this (impossible) overflow, or the case l_i == 7 isn't
> tested explicitely.
>
> I'd say simply leave it as it is now.
>
> But if noone disagrees, I'm inclined to add a comment.
>
> > - R.
>
> cu
> Adrian
>
But on the other hand why loop if you don't have to?
static int at1700_ioaddr_pattern[] __initdata = {
- 0x00, 0x04, 0x01, 0x05, 0x02, 0x06, 0x03, 0x07
+ 0x00, 0x02, 0x04, 0x06, 0x01, 0x03, 0x05, 0x07
};
...
static int __init at1700_probe1(struct net_device *dev, int ioaddr)
{
...
- for (l_i = 0; l_i < 0x09; l_i++)
- if (( pos3 & 0x07) == at1700_ioaddr_pattern[l_i])
- break;
- ioaddr = at1700_mca_probe_list[l_i];
+ ioaddr = at1700_mca_probe_list[at1700_ioaddr_pattern[pos3&7]];
...
}