#2930 closed defect (fixed)
Coverity Reports Out of Bounds Read in drvmgr_print.c
Reported by: | Joel Sherrill | Owned by: | Daniel Hellstrom |
---|---|---|---|
Priority: | normal | Milestone: | 5.1 |
Component: | score | Version: | 5 |
Severity: | normal | Keywords: | |
Cc: | Blocked By: | ||
Blocking: |
Description
354 printf(" DRIVER ID: 0x%llx\n", drv->drv_id);
- Condition drv->name, taking true branch.
355 printf(" NAME: %s\n", drv->name ? drv->name : "NO_NAME");
356 printf(" BUS TYPE: %d\n", drv->bus_type);
357 printf(" OPERATIONS:\n");
- alias: Assigning: ppfunc = &drv->ops->init[0]. ppfunc now points to element 0 of drv->ops->init (which consists of 4 4-byte elements).
- Condition i < 6U /* sizeof (struct drvmgr_drv_ops) / sizeof (void (*)(void)) */, taking true branch.
- Condition i < 6U /* sizeof (struct drvmgr_drv_ops) / sizeof (void (*)(void)) */, taking true branch.
- cond_at_most: Checking i < 6U implies that i may be up to 5 on the true branch.
358 for (i = 0, ppfunc = (fun_ptr *)&drv->ops->init[0];
359 i < DRVMGR_OPS_NUM(struct drvmgr_drv_ops); i++)
- Jumping back to the beginning of the loop.
CID 1399730 (#1 of 1): Out-of-bounds read (OVERRUN)
- overrun-local: Overrunning array of 4 4-byte elements at element index 5 (byte offset 20) by dereferencing pointer ppfunc + i.
360 printf(" %s %p\n", drv_ops_names[i], ppfunc[i]);
361 printf(" NO. DEVICES: %d\n", drv->dev_cnt);
362
Change History (4)
comment:1 Changed on 03/15/17 at 16:03:24 by Joel Sherrill
Owner: | changed from joel.sherrill@… to Daniel Hellstrom |
---|---|
Status: | new → assigned |
comment:2 Changed on 05/11/17 at 07:31:02 by Sebastian Huber
Milestone: | 4.12 → 4.12.0 |
---|
comment:3 Changed on 08/29/17 at 07:09:36 by Daniel Hellstrom <daniel@…>
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:4 Changed on 11/09/17 at 06:27:14 by Sebastian Huber
Milestone: | 4.12.0 → 5.1 |
---|
Milestone renamed
Note: See
TracTickets for help on using
tickets.
In 3663be53/rtems: