Hello!
The following function in the EHCI scheduling code causes the SVACE static analyzer to
report possible buffer overflow (see the last assignment below), e.g.:
Buffer 'ehci->bandwidth' of size 64 accessed at ehci-sched.c:240 can overflow, since its
index 'i + j' can have value 66 that is out of range, as indicated by preceding conditional
expression at ehci-sched.c:240.
I tried hard to analyze this code but couldn't quite figure out whether an overflow could
actually happen... Maybe Alan (or Greg?) could please help me out?
static void reserve_release_intr_bandwidth(struct ehci_hcd *ehci,
struct ehci_qh *qh, int sign)
{
unsigned start_uf;
unsigned i, j, m;
int usecs = qh->ps.usecs;
int c_usecs = qh->ps.c_usecs;
int tt_usecs = qh->ps.tt_usecs;
struct ehci_tt *tt;
if (qh->ps.phase == NO_FRAME) /* Bandwidth wasn't reserved */
return;
start_uf = qh->ps.bw_phase << 3;
bandwidth_dbg(ehci, sign, "intr", &qh->ps);
if (sign < 0) { /* Release bandwidth */
usecs = -usecs;
c_usecs = -c_usecs;
tt_usecs = -tt_usecs;
}
/* Entire transaction (high speed) or start-split (full/low speed) */
for (i = start_uf + qh->ps.phase_uf; i < EHCI_BANDWIDTH_SIZE;
i += qh->ps.bw_uperiod)
ehci->bandwidth[i] += usecs;
/* Complete-split (full/low speed) */
if (qh->ps.c_usecs) {
/* NOTE: adjustments needed for FSTN */
for (i = start_uf; i < EHCI_BANDWIDTH_SIZE;
i += qh->ps.bw_uperiod) {
for ((j = 2, m = 1 << (j+8)); j < 8; (++j, m <<= 1)) {
if (qh->ps.cs_mask & m)
ehci->bandwidth[i+j] += c_usecs;
}
}
}
[...]
There shouldn't be a buffer overflow iff qh->ps.bw_uperiod is a multiple of 8, right?
MBR, Sergey
