#2930 closed defect (fixed)

Coverity Reports Out of Bounds Read in drvmgr_print.c

Reported by: Joel Sherrill Owned by: Daniel Hellstrom
Priority: normal Milestone: 5.1
Component: score Version: 5
Severity: normal Keywords:
Cc: Blocked By:



354 printf(" DRIVER ID: 0x%llx\n", drv->drv_id);

  1. Condition drv->name, taking true branch.

355 printf(" NAME: %s\n", drv->name ? drv->name : "NO_NAME");
356 printf(" BUS TYPE: %d\n", drv->bus_type);
357 printf(" OPERATIONS:\n");

  1. alias: Assigning: ppfunc = &drv->ops->init[0]. ppfunc now points to element 0 of drv->ops->init (which consists of 4 4-byte elements).
  2. Condition i < 6U /* sizeof (struct drvmgr_drv_ops) / sizeof (void (*)(void)) */, taking true branch.
  3. Condition i < 6U /* sizeof (struct drvmgr_drv_ops) / sizeof (void (*)(void)) */, taking true branch.
  4. cond_at_most: Checking i < 6U implies that i may be up to 5 on the true branch.

358 for (i = 0, ppfunc = (fun_ptr *)&drv->ops->init[0];
359 i < DRVMGR_OPS_NUM(struct drvmgr_drv_ops); i++)

  1. Jumping back to the beginning of the loop.

CID 1399730 (#1 of 1): Out-of-bounds read (OVERRUN)

  1. overrun-local: Overrunning array of 4 4-byte elements at element index 5 (byte offset 20) by dereferencing pointer ppfunc + i.

360 printf(" %s %p\n", drv_ops_names[i], ppfunc[i]);
361 printf(" NO. DEVICES: %d\n", drv->dev_cnt);

Change History (4)

comment:1 Changed on 03/15/17 at 16:03:24 by Joel Sherrill

Owner: changed from joel.sherrill@… to Daniel Hellstrom
Status: newassigned

comment:2 Changed on 05/11/17 at 07:31:02 by Sebastian Huber


comment:3 Changed on 08/29/17 at 07:09:36 by Daniel Hellstrom <daniel@…>

Resolution: fixed
Status: assignedclosed

In 3663be53/rtems:

drvmgr: clean up info_drv print

Fixes #2930

comment:4 Changed on 11/09/17 at 06:27:14 by Sebastian Huber


Milestone renamed

Note: See TracTickets for help on using tickets.