Re: [Patch] Off by one in drivers/usb/input/yealink.c

From: Eric Sesterhenn / Snakebyte
Date: Wed Jul 05 2006 - 20:48:45 EST

Next message: john stultz: "Re: 2.6.17-mm2 hrtimer code wedges at boot?"
Previous message: Benjamin Herrenschmidt: "Re: [patch 3/7] Check root chipset no_msi flag instead of allparent busses flags"
In reply to: Henk Vergonet: "Re: [Patch] Off by one in drivers/usb/input/yealink.c"
Next in thread: Dmitry Torokhov: "Re: [Patch] Off by one in drivers/usb/input/yealink.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Dmitry Torokhov (dmitry.torokhov@xxxxxxxxx) wrote:
> On 7/5/06, Henk Vergonet <Henk.Vergonet@xxxxxxxxx> wrote:
> >On Tue, Jun 27, 2006 at 03:51:43PM -0700, Randy.Dunlap wrote:
> >> On Wed, 28 Jun 2006 00:41:19 +0200 Eric Sesterhenn wrote:
> >> > another off by one spotted by coverity (id #485),
> >> > we loop exactly one time too often
> >> >
> >> > Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>
> >> >
> >> > --- linux-2.6.17-git11/drivers/usb/input/yealink.c.orig 2006-06-28
> >00:29:46.000000000 +0200
> >> > +++ linux-2.6.17-git11/drivers/usb/input/yealink.c 2006-06-28
> >00:30:04.000000000 +0200
> >> > @@ -350,7 +350,7 @@ static int yealink_do_idle_tasks(struct
> >> > val = yld->master.b[ix];
> >> > if (val != yld->copy.b[ix])
> >> > goto send_update;
> >> > - } while (++ix < sizeof(yld->master));
> >> > + } while (++ix < sizeof(yld->master)-1);
> >
> >Apart from introducing a new bug in the code, the construct is ugly.
> >
> >I would rather see then the more readable:
> >
> > ix++;
> > } while (ix < sizeof(yld->master));
> >
>
> The new code is exactly the same as the old one; however I do not see
> the problem with the old code. Could it be that Coverity got confused
> by prefix vs. postfix increment?

I looked at this code several times too, and tried to reproduce the bug
with the following little program:

#include <string.h>
int main(int argc, char **argv) {
char foo[] = "abcdef";
int i = 0;

foo[strlen(foo)] = 'X';
do {
putchar(foo[i]);
} while (++i < sizeof(foo));
}

Which clearly shows that the terminating '\0' gets printed too,
replaced by the X for better visibility, so the code
runs past the array, or did I fail to replicate the original
code somewhere?

Eric

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: john stultz: "Re: 2.6.17-mm2 hrtimer code wedges at boot?"
Previous message: Benjamin Herrenschmidt: "Re: [patch 3/7] Check root chipset no_msi flag instead of allparent busses flags"
In reply to: Henk Vergonet: "Re: [Patch] Off by one in drivers/usb/input/yealink.c"
Next in thread: Dmitry Torokhov: "Re: [Patch] Off by one in drivers/usb/input/yealink.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]