Date: Mon, 23 Aug 2004 15:13:13 -0400 From: John Baldwin <jhb@FreeBSD.org> To: freebsd-hackers@FreeBSD.org Cc: Ted Unangst <tedu@coverity.com> Subject: Re: off by one bounds Message-ID: <200408231513.14014.jhb@FreeBSD.org> In-Reply-To: <20040821150427.O35076@mp2.macomnet.net> References: <412652AA.5020308@coverity.com> <20040821131924.U34847@mp2.macomnet.net> <20040821150427.O35076@mp2.macomnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 21 August 2004 07:07 am, Maxim Konovalov wrote: > On Sat, 21 Aug 2004, 13:19+0400, Maxim Konovalov wrote: > > On Sat, 21 Aug 2004, 05:00-0400, Skip Ford wrote: > > > Maxim Konovalov wrote: > > > > On Fri, 20 Aug 2004, 12:36-0700, Ted Unangst wrote: > > > >> errors in freebsd 4.10 found by Coverity's analysis. > > > >> > > > >> ip_icmp.c:ip_next_mtu, i == sizeof, dir >= 0 > > > > > > > > If i == sizeof then mtutab[i] == 0 > > > > > > If "i == sizeof" then mtutab[i] is out of bounds, off by one. > > > There is no mtutab[sizeof mtutab / sizeof mtutab[0]]. > > > > > > This isn't specific to RELENG_4 > > After the second thought I still think it is not a error. mtu is > always >= than the minimal value in mtutab[] that is why i is always > less than (sizeof mtutab) / sizeof mtutab[0]). What do you think? It's better to fix the code so it doesn't break on unexpected inputs. :) -- John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" = http://www.FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408231513.14014.jhb>