On Tue, 2006-08-29 at 11:20 -0700, Chris Wright wrote:
> * Sridhar Samudrala ([EMAIL PROTECTED]) wrote:
> > -int verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int
> > mode)
> > +ssize_t verify_iovec(struct msghdr *m, struct iovec *iov, char *address,
> > int mode)
> > {
> > int size, err, ct;
> > + ssize_t tot_len = 0;
> >
> > if (m->msg_namelen) {
> > if (mode == VERIFY_READ) {
> > @@ -61,17 +62,22 @@ int verify_iovec(struct msghdr *m, struc
> > err = 0;
> >
> > for (ct = 0; ct < m->msg_iovlen; ct++) {
> > - err += iov[ct].iov_len;
> > + ssize_t len;
> > +
> > /*
> > - * Goal is not to verify user data, but to prevent returning
> > - * negative value, which is interpreted as errno.
> > - * Overflow is still possible, but it is harmless.
> > + * Goal is not to verify user data, but to prevent the cases
> > + * where an iov_len value or the sum of all iov_len values
> > + * overflows ssize_t.
> > */
> > - if (err < 0)
> > - return -EMSGSIZE;
> > + len = (ssize_t)iov[ct].iov_len;
> > + if (len < 0)
> > + return -EINVAL;
> > + tot_len += len;
> > + if (tot_len < 0)
>
> I specifically used size_t here, because signed integer overflow is not
> defined in C.
Is this a problem even if we are adding only positive integers?
I tried some tests and i didn't see any problem.
For ex: adding 2 max positive integers 0x7fffffff gave a result of -2
which passes the test for overflow.
0x7fffffff + 0x7ffffff = -2
0x7fffffff + 1 = -2147483648
Thanks
Sridhar
>
> thanks,
> -chris
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
