Skip to content

Commit

Permalink
fix: minor memory bugs #784
Browse files Browse the repository at this point in the history
Fixes the following Coverity reports:

________________________________________________________________________________________________________
*** CID 417161:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/samples/server.c: 438 in migration_write_data()
432         }
433    
434         /* write to bar0, if any */
435         if (write_end > server_data->bar1_size) {
436             length_in_bar0 = write_end - write_start;
437             write_start -= server_data->bar1_size;
     CID 417161:  Memory - corruptions  (ARRAY_VS_SINGLETON)
     Using "&server_data->bar0" as an array.  This might corrupt or misinterpret adjacent memory locations.
438             memcpy(&server_data->bar0 + write_start, buf + length_in_bar1,
439                    length_in_bar0);
440         }
441    
442         server_data->migration.bytes_transferred += bytes_written;
443    

________________________________________________________________________________________________________
*** CID 417160:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/samples/server.c: 394 in migration_read_data()
388         }
389    
390         /* read bar0, if any */
391         if (read_end > server_data->bar1_size) {
392             length_in_bar0 = read_end - read_start;
393             read_start -= server_data->bar1_size;
     CID 417160:  Memory - corruptions  (ARRAY_VS_SINGLETON)
     Using "&server_data->bar0" as an array.  This might corrupt or misinterpret adjacent memory locations.
394             memcpy(buf + length_in_bar1, &server_data->bar0 + read_start,
395                    length_in_bar0);
396         }
397    
398         server_data->migration.bytes_transferred += bytes_read;
399    

________________________________________________________________________________________________________
*** CID 417159:  Possible Control flow issues  (DEADCODE)
/lib/libvfio-user.c: 121 in dev_get_caps()
115    
116         header = (struct vfio_info_cap_header*)(vfio_reg + 1);
117    
118         if (vfu_reg->mmap_areas != NULL) {
119             int i, nr_mmap_areas = vfu_reg->nr_mmap_areas;
120             if (type != NULL) {
     CID 417159:  Possible Control flow issues  (DEADCODE)
     Execution cannot reach this statement: "type->header.next = vfio_re...".
121                 type->header.next = vfio_reg->cap_offset + sizeof(struct vfio_region_info_cap_type);
122                 sparse = (struct vfio_region_info_cap_sparse_mmap*)(type + 1);
123             } else {
124                 vfio_reg->cap_offset = sizeof(struct vfio_region_info);
125                 sparse = (struct vfio_region_info_cap_sparse_mmap*)header;
126             }

Signed-off-by: William Henderson <william.henderson@nutanix.com>
  • Loading branch information
w-henderson authored Sep 18, 2023
1 parent 3c18696 commit 1c0cf16
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 10 deletions.
10 changes: 2 additions & 8 deletions lib/libvfio-user.c
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,6 @@ dev_get_caps(vfu_ctx_t *vfu_ctx, vfu_reg_info_t *vfu_reg,
struct vfio_region_info *vfio_reg, int **fds, size_t *nr_fds)
{
struct vfio_info_cap_header *header;
struct vfio_region_info_cap_type *type = NULL;
struct vfio_region_info_cap_sparse_mmap *sparse = NULL;

assert(vfu_ctx != NULL);
Expand All @@ -117,13 +116,8 @@ dev_get_caps(vfu_ctx_t *vfu_ctx, vfu_reg_info_t *vfu_reg,

if (vfu_reg->mmap_areas != NULL) {
int i, nr_mmap_areas = vfu_reg->nr_mmap_areas;
if (type != NULL) {
type->header.next = vfio_reg->cap_offset + sizeof(struct vfio_region_info_cap_type);
sparse = (struct vfio_region_info_cap_sparse_mmap*)(type + 1);
} else {
vfio_reg->cap_offset = sizeof(struct vfio_region_info);
sparse = (struct vfio_region_info_cap_sparse_mmap*)header;
}
vfio_reg->cap_offset = sizeof(struct vfio_region_info);
sparse = (struct vfio_region_info_cap_sparse_mmap *)header;

*fds = malloc(nr_mmap_areas * sizeof(int));
if (*fds == NULL) {
Expand Down
4 changes: 2 additions & 2 deletions samples/server.c
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,7 @@ migration_read_data(vfu_ctx_t *vfu_ctx, void *buf, uint64_t size)
if (read_end > server_data->bar1_size) {
length_in_bar0 = read_end - read_start;
read_start -= server_data->bar1_size;
memcpy(buf + length_in_bar1, &server_data->bar0 + read_start,
memcpy(buf + length_in_bar1, (char *)&server_data->bar0 + read_start,
length_in_bar0);
}

Expand Down Expand Up @@ -435,7 +435,7 @@ migration_write_data(vfu_ctx_t *vfu_ctx, void *data, uint64_t size)
if (write_end > server_data->bar1_size) {
length_in_bar0 = write_end - write_start;
write_start -= server_data->bar1_size;
memcpy(&server_data->bar0 + write_start, buf + length_in_bar1,
memcpy((char *)&server_data->bar0 + write_start, buf + length_in_bar1,
length_in_bar0);
}

Expand Down

0 comments on commit 1c0cf16

Please sign in to comment.