folkert/simh-testsetgenerator
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

PDP11, VAX: XQ device fixes (COVERITY)

Browse source 
- Fix potential beyond array bounds memory references
- Fix MOP protocol packet parsing
This commit is contained in:
Mark Pizzolato 2017-03-11 16:00:00 -08:00
parent 65f8e72b40
commit 235a39714c
1 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
PDP11/pdp11_xq.c
View file

@ -632,7 +632,7 @@ t_stat xq_ex (t_value* vptr, t_addr addr, UNIT* uptr, int32 sw)
else else
if (xq->var->type == XQ_T_DELQA_PLUS) if (xq->var->type == XQ_T_DELQA_PLUS)
bootrom = xq_bootrom_delqat; bootrom = xq_bootrom_delqat;
if (addr <= sizeof(xq_bootrom_delqa)/2) if ((bootrom) && (addr < sizeof(xq_bootrom_delqa)/2))
*vptr = bootrom[addr]; *vptr = bootrom[addr];
else else
*vptr = 0; *vptr = 0;
@ -1348,7 +1348,7 @@ t_stat xq_process_mop(CTLR* xq)
} /* switch */ } /* switch */
/* process next meb */ /* process next meb */
meb += sizeof(struct xq_meb); meb += 1;
} /* while */ } /* while */
return SCPE_OK; return SCPE_OK;
@ -1975,9 +1975,13 @@ t_stat xq_process_loopback(CTLR* xq, ETH_PACK* pack)
ETH_MAC *physical_address; ETH_MAC *physical_address;
t_stat status; t_stat status;
int offset = 16 + (pack->msg[14] | (pack->msg[15] << 8)); int offset = 16 + (pack->msg[14] | (pack->msg[15] << 8));
int function = pack->msg[offset] | (pack->msg[offset+1] << 8); int function;
sim_debug(DBG_TRC, xq->dev, "xq_process_loopback()\n"); if (offset > ETH_MAX_PACKET - 8)
return SCPE_NOFNC;
function = pack->msg[offset] | (pack->msg[offset+1] << 8);
sim_debug(DBG_TRC, xq->dev, "xq_process_loopback(function=%d)\n", function);
if (function != 2 /*forward*/) if (function != 2 /*forward*/)
return SCPE_NOFNC; return SCPE_NOFNC;