I re-sent this yesterday to trivial. May end up getting queued for merge twice.
On Tue, Jun 19, 2012 at 11:31 PM, Peter Maydell <peter.mayd...@linaro.org> wrote: > From: Jim Meyering <meyer...@redhat.com> > > Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number > of bytes to clear. The latter would always clear 4 or 8 > bytes, possibly writing beyond the end of that stack buffer. > Alternatively, depending on the value of the "size" parameter, > it could fail to initialize the end of "rxbuf". > Spotted by coverity. > > Signed-off-by: Jim Meyering <meyer...@redhat.com> > Reviewed-by: Peter A.G. Crosthwaite <peter.crosthwa...@petalogix.com> > Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> > --- > hw/cadence_gem.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c > index e2140ae..dbde392 100644 > --- a/hw/cadence_gem.c > +++ b/hw/cadence_gem.c > @@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const > uint8_t *buf, size_t size) > */ > > memcpy(rxbuf, buf, size); > - memset(rxbuf + size, 0, sizeof(rxbuf - size)); > + memset(rxbuf + size, 0, sizeof(rxbuf) - size); > rxbuf_ptr = rxbuf; > crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60))); > if (size < 60) { > -- > 1.7.1 > >