[RTEMS Project] #2930: Coverity Reports Out of Bounds Read in drvmgr_print.c
RTEMS trac
trac at rtems.org
Tue Mar 14 21:31:10 UTC 2017
#2930: Coverity Reports Out of Bounds Read in drvmgr_print.c
---------------------------+-----------------------------
Reporter: Joel Sherrill | Owner: joel.sherrill@…
Type: defect | Status: new
Priority: normal | Milestone: 4.12
Component: cpukit | Version: 4.12
Severity: normal | Keywords:
---------------------------+-----------------------------
https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109359850&defectInstanceId=30967449&mergedDefectId=1399730
354 printf(" DRIVER ID: 0x%llx\n", drv->drv_id);
1. Condition drv->name, taking true branch.
355 printf(" NAME: %s\n", drv->name ? drv->name :
"NO_NAME");
356 printf(" BUS TYPE: %d\n", drv->bus_type);
357 printf(" OPERATIONS:\n");
2. alias: Assigning: ppfunc = &drv->ops->init[0]. ppfunc now
points to element 0 of drv->ops->init (which consists of 4 4-byte
elements).
3. Condition i < 6U /* sizeof (struct drvmgr_drv_ops) / sizeof
(void (*)(void)) */, taking true branch.
5. Condition i < 6U /* sizeof (struct drvmgr_drv_ops) / sizeof
(void (*)(void)) */, taking true branch.
6. cond_at_most: Checking i < 6U implies that i may be up to 5 on
the true branch.
358 for (i = 0, ppfunc = (fun_ptr *)&drv->ops->init[0];
359 i < DRVMGR_OPS_NUM(struct drvmgr_drv_ops); i++)
4. Jumping back to the beginning of the loop.
CID 1399730 (#1 of 1): Out-of-bounds read (OVERRUN)
7. overrun-local: Overrunning array of 4 4-byte elements at element index
5 (byte offset 20) by dereferencing pointer ppfunc + i.
360 printf(" %s %p\n", drv_ops_names[i], ppfunc[i]);
361 printf(" NO. DEVICES: %d\n", drv->dev_cnt);
362
--
Ticket URL: <http://devel.rtems.org/ticket/2930>
RTEMS Project <http://www.rtems.org/>
RTEMS Project
More information about the bugs
mailing list