Re: [Patch] Off by one in drivers/usb/input/yealink.c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 05 July 2006 20:49, Eric Sesterhenn / Snakebyte wrote:
> * Dmitry Torokhov ([email protected]) wrote:
> > On 7/5/06, Henk Vergonet <[email protected]> wrote:
> > >On Tue, Jun 27, 2006 at 03:51:43PM -0700, Randy.Dunlap wrote:
> > >> On Wed, 28 Jun 2006 00:41:19 +0200 Eric Sesterhenn wrote:
> > >> > another off by one spotted by coverity (id #485),
> > >> > we loop exactly one time too often
> > >> >
> > >> > Signed-off-by: Eric Sesterhenn <[email protected]>
> > >> >
> > >> > --- linux-2.6.17-git11/drivers/usb/input/yealink.c.orig     2006-06-28 
> > >00:29:46.000000000 +0200
> > >> > +++ linux-2.6.17-git11/drivers/usb/input/yealink.c  2006-06-28 
> > >00:30:04.000000000 +0200
> > >> > @@ -350,7 +350,7 @@ static int yealink_do_idle_tasks(struct
> > >> >             val = yld->master.b[ix];
> > >> >             if (val != yld->copy.b[ix])
> > >> >                     goto send_update;
> > >> > -   } while (++ix < sizeof(yld->master));
> > >> > +   } while (++ix < sizeof(yld->master)-1);
> > >
> > >Apart from introducing a new bug in the code, the construct is ugly.
> > >
> > >I would rather see then the more readable:
> > >
> > >       ix++;
> > >   } while (ix < sizeof(yld->master));
> > >
> > 
> > The new code is exactly the same as the old one; however I do not see
> > the problem with the old code. Could it be that Coverity got confused
> > by prefix vs. postfix increment?
> 
> I looked at this code several times too, and tried to reproduce the bug
> with the following little program:
> 
> #include <string.h>
> int main(int argc, char **argv) {
> 	char foo[] = "abcdef";
> 	int i = 0;
> 
> 	foo[strlen(foo)] = 'X';
> 	do {
> 		putchar(foo[i]);
> 	} while (++i < sizeof(foo));
> }
> 
> Which clearly shows that the terminating '\0' gets printed too,
> replaced by the X for better visibility, so the code
> runs past the array, or did I fail to replicate the original
> code somewhere?
> 

What do you mean "the code runs past the array"? The size of array is 7
(compiler allocates the space for terminating '\0') and the array is
printed in its entirety.

-- 
Dmitry
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux