diff options
author | Suraj Jitindar Singh <sjitindarsingh@gmail.com> | 2016-06-28 14:20:53 +1000 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2016-06-30 15:55:10 +1000 |
commit | e46199974cca896f8012743eaad3cae140aba5a9 (patch) | |
tree | 111ed747b2c0901cd5526beef830cccf5e61e7d6 /hw | |
parent | 44bdc5cdfab0bceb4e2c7eadb0deebf455daefc3 (diff) | |
download | skiboot-e46199974cca896f8012743eaad3cae140aba5a9.zip skiboot-e46199974cca896f8012743eaad3cae140aba5a9.tar.gz skiboot-e46199974cca896f8012743eaad3cae140aba5a9.tar.bz2 |
fsp/op-panel: Fix out of bounds array access and #define display dimensions
In the function __opal_write_oppanel() coverity complains about an out
of bounds array access. While the pointer is never actually dereferenced,
this isn't immediately obvious from the code. Additionally the number and
length of the lines on the operator panel display are hard coded into
the function. While we are here we might as well move these into a #define
statement.
Rework the code in __opal_write_oppanel() where the message is copied into
the buffer so that coverity won't complain about an out of bounds array
access and so that it is line number and length agnostic (now relying on
the #defined values).
Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/fsp/fsp-op-panel.c | 30 |
1 files changed, 13 insertions, 17 deletions
diff --git a/hw/fsp/fsp-op-panel.c b/hw/fsp/fsp-op-panel.c index 65e0f48..eb61e8d 100644 --- a/hw/fsp/fsp-op-panel.c +++ b/hw/fsp/fsp-op-panel.c @@ -132,8 +132,7 @@ struct op_src { uint32_t word7; uint32_t word8; uint32_t word9; -#define OP_SRC_ASCII_LEN 32 - uint8_t ascii[OP_SRC_ASCII_LEN]; /* Word 11 */ + uint8_t ascii[OP_PANEL_NUM_LINES * OP_PANEL_LINE_LEN]; /* Word 11 */ } __packed __align(4); /* Page align for the sake of TCE mapping */ @@ -169,7 +168,7 @@ static int64_t __opal_write_oppanel(oppanel_line_t *lines, uint64_t num_lines, int len; int i; - if (num_lines < 1 || num_lines > 2) + if (num_lines < 1 || num_lines > OP_PANEL_NUM_LINES) return OPAL_PARAMETER; /* Only one in flight */ @@ -200,18 +199,15 @@ static int64_t __opal_write_oppanel(oppanel_line_t *lines, uint64_t num_lines, op_src.total_size = sizeof(op_src); op_src.word2 = 0; /* should be unneeded */ - len = be64_to_cpu(lines[0].line_len); - if (len > 16) - len = 16; - - memset(op_src.ascii + len, ' ', 16-len); - memcpy(op_src.ascii, (void*)be64_to_cpu(lines[0].line), len); - if (num_lines > 1) { - len = be64_to_cpu(lines[1].line_len); - if (len > 16) - len = 16; - memcpy(op_src.ascii + 16, (void*)be64_to_cpu(lines[1].line), len); - memset(op_src.ascii + 16 + len, ' ', 16-len); + for (i = 0; i < num_lines; i++) { + uint8_t *current_line = op_src.ascii + (i * OP_PANEL_LINE_LEN); + + len = be64_to_cpu(lines[i].line_len); + if (len < OP_PANEL_LINE_LEN) + memset(current_line + len, ' ', OP_PANEL_LINE_LEN-len); + else + len = OP_PANEL_LINE_LEN; + memcpy(current_line, (void *) be64_to_cpu(lines[i].line), len); } for (i = 0; i < sizeof(op_src.ascii); i++) { @@ -265,7 +261,7 @@ void fsp_oppanel_init(void) opal_register(OPAL_WRITE_OPPANEL_ASYNC, opal_write_oppanel_async, 3); oppanel = dt_new(opal_node, "oppanel"); - dt_add_property_cells(oppanel, "#length", 16); - dt_add_property_cells(oppanel, "#lines", 2); + dt_add_property_cells(oppanel, "#length", OP_PANEL_LINE_LEN); + dt_add_property_cells(oppanel, "#lines", OP_PANEL_NUM_LINES); dt_add_property_string(oppanel, "compatible", "ibm,opal-oppanel"); } |