On 02/16/2016 08:45 AM, Paolo Bonzini wrote:
>
>
> On 06/02/2016 20:13, Michael S. Tsirkin wrote:
>>
>> - if (sdr[7] > MAX_SENSORS) {
>> + if (sdr->sensor_owner_number > MAX_SENSORS) {
>
> This is another off-by-one, it should have been >=. Same for all these
> occurrences later in the same file:
>
> hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) ||
> hw/ipmi/ipmi_bmc_sim.c: if ((cmd[2] > MAX_SENSORS) ||
I missed that. Here is a patch.
Thanks,
C.
From: Cédric Le Goater <[email protected]>
Subject: [PATCH] ipmi: sensor number should not exceed MAX_SENSORS
Date: Tue, 16 Feb 2016 09:05:44 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Cédric Le Goater <[email protected]>
---
hw/ipmi/ipmi_bmc_sim.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
Index: qemu-powernv.git/hw/ipmi/ipmi_bmc_sim.c
===================================================================
--- qemu-powernv.git.orig/hw/ipmi/ipmi_bmc_sim.c
+++ qemu-powernv.git/hw/ipmi/ipmi_bmc_sim.c
@@ -536,7 +536,7 @@ static void ipmi_init_sensors_from_sdrs(
continue; /* Not a sensor SDR we set from */
}
- if (sdr->sensor_owner_number > MAX_SENSORS) {
+ if (sdr->sensor_owner_number >= MAX_SENSORS) {
continue;
}
sens = s->sensors + sdr->sensor_owner_number;
@@ -1448,7 +1448,7 @@ static void set_sensor_evt_enable(IPMIBm
IPMISensor *sens;
IPMI_CHECK_CMD_LEN(4);
- if ((cmd[2] > MAX_SENSORS) ||
+ if ((cmd[2] >= MAX_SENSORS) ||
!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
return;
@@ -1500,7 +1500,7 @@ static void get_sensor_evt_enable(IPMIBm
IPMISensor *sens;
IPMI_CHECK_CMD_LEN(3);
- if ((cmd[2] > MAX_SENSORS) ||
+ if ((cmd[2] >= MAX_SENSORS) ||
!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
return;
@@ -1521,7 +1521,7 @@ static void rearm_sensor_evts(IPMIBmcSim
IPMISensor *sens;
IPMI_CHECK_CMD_LEN(4);
- if ((cmd[2] > MAX_SENSORS) ||
+ if ((cmd[2] >= MAX_SENSORS) ||
!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
return;
@@ -1543,7 +1543,7 @@ static void get_sensor_evt_status(IPMIBm
IPMISensor *sens;
IPMI_CHECK_CMD_LEN(3);
- if ((cmd[2] > MAX_SENSORS) ||
+ if ((cmd[2] >= MAX_SENSORS) ||
!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
return;
@@ -1565,7 +1565,7 @@ static void get_sensor_reading(IPMIBmcSi
IPMISensor *sens;
IPMI_CHECK_CMD_LEN(3);
- if ((cmd[2] > MAX_SENSORS) ||
+ if ((cmd[2] >= MAX_SENSORS) ||
!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
return;
@@ -1588,7 +1588,7 @@ static void set_sensor_type(IPMIBmcSim *
IPMI_CHECK_CMD_LEN(5);
- if ((cmd[2] > MAX_SENSORS) ||
+ if ((cmd[2] >= MAX_SENSORS) ||
!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
return;
@@ -1607,7 +1607,7 @@ static void get_sensor_type(IPMIBmcSim *
IPMI_CHECK_CMD_LEN(3);
- if ((cmd[2] > MAX_SENSORS) ||
+ if ((cmd[2] >= MAX_SENSORS) ||
!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
return;
