On 02/16/2016 08:45 AM, Paolo Bonzini wrote: > > > On 06/02/2016 20:13, Michael S. Tsirkin wrote: >> >> - if (sdr[7] > MAX_SENSORS) { >> + if (sdr->sensor_owner_number > MAX_SENSORS) { > > This is another off-by-one, it should have been >=. Same for all these > occurrences later in the same file: > > hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) || > hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) || > hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) || > hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) || > hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) || > hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) || > hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) ||
I missed that. Here is a patch. Thanks, C. From: Cédric Le Goater <c...@fr.ibm.com> Subject: [PATCH] ipmi: sensor number should not exceed MAX_SENSORS Date: Tue, 16 Feb 2016 09:05:44 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Cédric Le Goater <c...@fr.ibm.com> --- hw/ipmi/ipmi_bmc_sim.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) Index: qemu-powernv.git/hw/ipmi/ipmi_bmc_sim.c =================================================================== --- qemu-powernv.git.orig/hw/ipmi/ipmi_bmc_sim.c +++ qemu-powernv.git/hw/ipmi/ipmi_bmc_sim.c @@ -536,7 +536,7 @@ static void ipmi_init_sensors_from_sdrs( continue; /* Not a sensor SDR we set from */ } - if (sdr->sensor_owner_number > MAX_SENSORS) { + if (sdr->sensor_owner_number >= MAX_SENSORS) { continue; } sens = s->sensors + sdr->sensor_owner_number; @@ -1448,7 +1448,7 @@ static void set_sensor_evt_enable(IPMIBm IPMISensor *sens; IPMI_CHECK_CMD_LEN(4); - if ((cmd[2] > MAX_SENSORS) || + if ((cmd[2] >= MAX_SENSORS) || !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) { rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT; return; @@ -1500,7 +1500,7 @@ static void get_sensor_evt_enable(IPMIBm IPMISensor *sens; IPMI_CHECK_CMD_LEN(3); - if ((cmd[2] > MAX_SENSORS) || + if ((cmd[2] >= MAX_SENSORS) || !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) { rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT; return; @@ -1521,7 +1521,7 @@ static void rearm_sensor_evts(IPMIBmcSim IPMISensor *sens; IPMI_CHECK_CMD_LEN(4); - if ((cmd[2] > MAX_SENSORS) || + if ((cmd[2] >= MAX_SENSORS) || !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) { rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT; return; @@ -1543,7 +1543,7 @@ static void get_sensor_evt_status(IPMIBm IPMISensor *sens; IPMI_CHECK_CMD_LEN(3); - if ((cmd[2] > MAX_SENSORS) || + if ((cmd[2] >= MAX_SENSORS) || !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) { rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT; return; @@ -1565,7 +1565,7 @@ static void get_sensor_reading(IPMIBmcSi IPMISensor *sens; IPMI_CHECK_CMD_LEN(3); - if ((cmd[2] > MAX_SENSORS) || + if ((cmd[2] >= MAX_SENSORS) || !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) { rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT; return; @@ -1588,7 +1588,7 @@ static void set_sensor_type(IPMIBmcSim * IPMI_CHECK_CMD_LEN(5); - if ((cmd[2] > MAX_SENSORS) || + if ((cmd[2] >= MAX_SENSORS) || !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) { rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT; return; @@ -1607,7 +1607,7 @@ static void get_sensor_type(IPMIBmcSim * IPMI_CHECK_CMD_LEN(3); - if ((cmd[2] > MAX_SENSORS) || + if ((cmd[2] >= MAX_SENSORS) || !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) { rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT; return;