On 2020/11/11 上午5:52, Pavel Pisa wrote:
> Credit for finding and fixes goes to Peter Maydell
>
> This patchset fixes a couple of issues spotted by Coverity:
> * incorrect address checks meant the guest could write off the
> end of the tx_buffer arrays
> * we had an unused value in ctucan_send_ready_buffers()
> and also some I noticed while reading the code:
> * we don't adjust the device's non-portable use of bitfields
> on bigendian hosts
> * we should use stl_le_p() rather than casting uint_t* to
> uint32_t*
>
> Tested with "make check" only.
>
> Changes v1->v2: don't assert() the can't-happen case in patch 1,
> to allow for future adjustment of #defines that correspond to
> h/w synthesis parameters.
>
> Changes v2->v3: minnor corrections of range checking,
> support for unaligned and partial word writes into Tx
> buffers. Tested on x86_64 guest on x86_64 host and bige-edian
> MIPS guest on x86_64 host Pavel Pisa.
>
> Peter Maydell (4):
> hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer
> hw/net/can/ctucan: Avoid unused value in ctucan_send_ready_buffers()
> hw/net/can/ctucan_core: Handle big-endian hosts
> hw/net/can/ctucan_core: Use stl_le_p to write to tx_buffers
>
> hw/net/can/ctucan_core.c | 23 +++++++----------------
> hw/net/can/ctucan_core.h | 3 +--
> 2 files changed, 8 insertions(+), 18 deletions(-)
Applied.
Thanks
>