diff options
author | William Henderson <william.henderson@nutanix.com> | 2023-09-18 14:30:04 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-18 14:30:04 +0100 |
commit | 1c0cf16e49544a849b5382cc0622dc7cd01f0f36 (patch) | |
tree | 07dbc3226fc5cb3e523501912fe5a24459744873 /lib | |
parent | 3c18696427c4db338919f9a9e1943589a5a523b5 (diff) | |
download | libvfio-user-1c0cf16e49544a849b5382cc0622dc7cd01f0f36.zip libvfio-user-1c0cf16e49544a849b5382cc0622dc7cd01f0f36.tar.gz libvfio-user-1c0cf16e49544a849b5382cc0622dc7cd01f0f36.tar.bz2 |
fix: minor memory bugs #784
Fixes the following Coverity reports:
________________________________________________________________________________________________________
*** CID 417161: Memory - corruptions (ARRAY_VS_SINGLETON)
/samples/server.c: 438 in migration_write_data()
432 }
433
434 /* write to bar0, if any */
435 if (write_end > server_data->bar1_size) {
436 length_in_bar0 = write_end - write_start;
437 write_start -= server_data->bar1_size;
CID 417161: Memory - corruptions (ARRAY_VS_SINGLETON)
Using "&server_data->bar0" as an array. This might corrupt or misinterpret adjacent memory locations.
438 memcpy(&server_data->bar0 + write_start, buf + length_in_bar1,
439 length_in_bar0);
440 }
441
442 server_data->migration.bytes_transferred += bytes_written;
443
________________________________________________________________________________________________________
*** CID 417160: Memory - corruptions (ARRAY_VS_SINGLETON)
/samples/server.c: 394 in migration_read_data()
388 }
389
390 /* read bar0, if any */
391 if (read_end > server_data->bar1_size) {
392 length_in_bar0 = read_end - read_start;
393 read_start -= server_data->bar1_size;
CID 417160: Memory - corruptions (ARRAY_VS_SINGLETON)
Using "&server_data->bar0" as an array. This might corrupt or misinterpret adjacent memory locations.
394 memcpy(buf + length_in_bar1, &server_data->bar0 + read_start,
395 length_in_bar0);
396 }
397
398 server_data->migration.bytes_transferred += bytes_read;
399
________________________________________________________________________________________________________
*** CID 417159: Possible Control flow issues (DEADCODE)
/lib/libvfio-user.c: 121 in dev_get_caps()
115
116 header = (struct vfio_info_cap_header*)(vfio_reg + 1);
117
118 if (vfu_reg->mmap_areas != NULL) {
119 int i, nr_mmap_areas = vfu_reg->nr_mmap_areas;
120 if (type != NULL) {
CID 417159: Possible Control flow issues (DEADCODE)
Execution cannot reach this statement: "type->header.next = vfio_re...".
121 type->header.next = vfio_reg->cap_offset + sizeof(struct vfio_region_info_cap_type);
122 sparse = (struct vfio_region_info_cap_sparse_mmap*)(type + 1);
123 } else {
124 vfio_reg->cap_offset = sizeof(struct vfio_region_info);
125 sparse = (struct vfio_region_info_cap_sparse_mmap*)header;
126 }
Signed-off-by: William Henderson <william.henderson@nutanix.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libvfio-user.c | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/lib/libvfio-user.c b/lib/libvfio-user.c index 81b0010..47ae522 100644 --- a/lib/libvfio-user.c +++ b/lib/libvfio-user.c @@ -105,7 +105,6 @@ dev_get_caps(vfu_ctx_t *vfu_ctx, vfu_reg_info_t *vfu_reg, struct vfio_region_info *vfio_reg, int **fds, size_t *nr_fds) { struct vfio_info_cap_header *header; - struct vfio_region_info_cap_type *type = NULL; struct vfio_region_info_cap_sparse_mmap *sparse = NULL; assert(vfu_ctx != NULL); @@ -117,13 +116,8 @@ dev_get_caps(vfu_ctx_t *vfu_ctx, vfu_reg_info_t *vfu_reg, if (vfu_reg->mmap_areas != NULL) { int i, nr_mmap_areas = vfu_reg->nr_mmap_areas; - if (type != NULL) { - type->header.next = vfio_reg->cap_offset + sizeof(struct vfio_region_info_cap_type); - sparse = (struct vfio_region_info_cap_sparse_mmap*)(type + 1); - } else { - vfio_reg->cap_offset = sizeof(struct vfio_region_info); - sparse = (struct vfio_region_info_cap_sparse_mmap*)header; - } + vfio_reg->cap_offset = sizeof(struct vfio_region_info); + sparse = (struct vfio_region_info_cap_sparse_mmap *)header; *fds = malloc(nr_mmap_areas * sizeof(int)); if (*fds == NULL) { |