From 33eff5c84d52e7186e0882ea5ee9ac5501c3deea Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 16 Oct 2025 15:54:07 +0100 Subject: [PATCH] hw/net/rocker: Don't overflow in of_dpa_mask2prefix() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit In of_dpa_mask2prefix() we do "(2 << i)" for a loop where i can go up to 31. At i == 31 we shift off the top end of an integer. This doesn't actually calculate the wrong value in practice, because we calculate 0 - 1 which is the 0xffffffff mask we wanted (and for QEMU shifting off the top of a signed integer is not UB); but it makes Coverity complain. We could fix this simply by using "2ULL" (where the "(2ULL << i) - 1" expression also evaluates to 0xffffffff for i == 31), but in fact this function is a slow looping implementation of counting the number of trailing zeroes in the (network-order) input mask: 0bxxxxxxxxx1 => 32 0bxxxxxxxx10 => 31 0bxxxxxxx100 => 30 ... 0bx100000000 => 2 0b1000000000 => 1 0b0000000000 => 0 Replace the implementation with 32 - ctz32(). Coverity: CID 1547602 Suggested-by: Philippe Mathieu-Daudé Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251016145407.781978-1-peter.maydell@linaro.org --- hw/net/rocker/rocker_of_dpa.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c index 4aed178756..16b9bc7a4b 100644 --- a/hw/net/rocker/rocker_of_dpa.c +++ b/hw/net/rocker/rocker_of_dpa.c @@ -198,16 +198,7 @@ typedef struct of_dpa_group { static int of_dpa_mask2prefix(uint32_t mask) { - int i; - int count = 32; - - for (i = 0; i < 32; i++) { - if (!(ntohl(mask) & ((2 << i) - 1))) { - count--; - } - } - - return count; + return 32 - ctz32(ntohl(mask)); } #if defined(DEBUG_ROCKER) -- 2.47.3