[Patch] Negative index in drivers/usb/host/isp116x-hcd.c

From: Eric Sesterhenn
Date: Wed May 31 2006 - 18:32:38 EST

Next message: Tom Rini: "Re: linux-2.6 x86_64 kgdb issue"
Previous message: Ingo Molnar: "Re: 2.6.17-rc5-mm1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,

This fixes coverity Bug #390.

With the following code

ret = ep->branch = balance(isp116x, ep->period, ep->load);
if (ret < 0)
goto fail;

the problem is that ret and balance are of the type int, and ep->branch is u16.
so the int balance() returns gets reduced to u16 and then converted to an int again,
which removes the sign. Maybe the following little c program can explain it better:

----snip----
int foo() {
return -5;
}

int main(int argc, char **argv) {
int a;
unsigned short b;

a = b = foo();
if (a < 0)
puts("case 1 works\n");

b = a = foo();
if (a < 0 )
puts("case 2 works\n");
}
----snip----

only the case 2 output is visible.

Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>

--- linux-2.6.17-rc5/drivers/usb/host/isp116x-hcd.c.orig 2006-06-01 00:25:32.000000000 +0200
+++ linux-2.6.17-rc5/drivers/usb/host/isp116x-hcd.c 2006-06-01 00:26:18.000000000 +0200
@@ -781,7 +781,7 @@ static int isp116x_urb_enqueue(struct us
if (ep->branch < PERIODIC_SIZE)
break;

- ret = ep->branch = balance(isp116x, ep->period, ep->load);
+ ep->branch = ret = balance(isp116x, ep->period, ep->load);
if (ret < 0)
goto fail;
ret = 0;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tom Rini: "Re: linux-2.6 x86_64 kgdb issue"
Previous message: Ingo Molnar: "Re: 2.6.17-rc5-mm1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]