From 342019bb07162db2c1bf106c4fec35b0c61e5879 Mon Sep 17 00:00:00 2001 From: Andrei Vagin Date: Tue, 17 Oct 2017 09:34:52 +0300 Subject: [PATCH] zdtm: avoid arithmetic overflow in datagen and datachk p + FAST_SIZE > buffer + length In this sentence p + FAST_SIZE may be bigger than (1<<32), and we will be in trouble. $ gdb -c coredump test/zdtm/static/write_read01 (gdb) p p $3 = (uint8_t *) 0xffffa89e (gdb) p buffer $4 = (uint8_t *) 0xfff06780 (gdb) p length $5 = 1000000 Signed-off-by: Andrei Vagin --- test/zdtm/lib/datagen.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/test/zdtm/lib/datagen.c b/test/zdtm/lib/datagen.c index 550339c40..83fbea285 100644 --- a/test/zdtm/lib/datagen.c +++ b/test/zdtm/lib/datagen.c @@ -14,42 +14,42 @@ static void datagen_fast(uint8_t *buffer, unsigned length, uint32_t *crc) { - uint8_t *p; + size_t off; datagen(buffer, FAST_SIZE, crc); - p = buffer + FAST_SIZE; + off = FAST_SIZE; - while (p < buffer + length) { + while (off < length) { unsigned long size = FAST_SIZE; - if (p + FAST_SIZE > buffer + length) - size = buffer + length - p; - memcpy(p, buffer, size); + if (off + FAST_SIZE > length) + size = length - off; + memcpy(buffer + off, buffer, size); - p += FAST_SIZE; + off += size; } } static int datachk_fast(const uint8_t *buffer, unsigned length, uint32_t *crc) { - const uint8_t *p; + size_t off; if (datachk(buffer, FAST_SIZE, crc)) return 1; - p = buffer + FAST_SIZE; + off = FAST_SIZE; - while (p < buffer + length) { + while (off < length) { unsigned long size = FAST_SIZE; - if (p + FAST_SIZE > buffer + length) - size = buffer + length - p; + if (off + FAST_SIZE > length) + size = length - off; - if (memcmp(p, buffer, size)) { - test_msg("Memory corruption [%p, %p]\n", p, p + size); + if (memcmp(buffer + off, buffer, size)) { + test_msg("Memory corruption [%p, %p]\n", buffer, buffer + size); return 1; } - p += FAST_SIZE; + off += size; } return 0;