From owner-freebsd-hackers@FreeBSD.ORG  Mon Aug 23 21:26:31 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5058916A4EB
	for <freebsd-hackers@FreeBSD.org>;
	Mon, 23 Aug 2004 21:26:31 +0000 (GMT)
Received: from mail2.speakeasy.net (mail2.speakeasy.net [216.254.0.202])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2080243D41
	for <freebsd-hackers@FreeBSD.org>;
	Mon, 23 Aug 2004 21:26:31 +0000 (GMT)	(envelope-from jhb@FreeBSD.org)
Received: (qmail 18743 invoked from network); 23 Aug 2004 21:26:30 -0000
Received: from dsl027-160-063.atl1.dsl.speakeasy.net (HELO server.baldwin.cx)
	([216.27.160.63])          (envelope-sender <jhb@FreeBSD.org>)
	encrypted SMTP
	for <tedu@coverity.com>; 23 Aug 2004 21:26:28 -0000
Received: from [10.50.40.208] (gw1.twc.weather.com [216.133.140.1])
	(authenticated bits=0)
	by server.baldwin.cx (8.12.11/8.12.11) with ESMTP id i7NLQHeS089422;
	Mon, 23 Aug 2004 17:26:21 -0400 (EDT)
	(envelope-from jhb@FreeBSD.org)
From: John Baldwin <jhb@FreeBSD.org>
To: freebsd-hackers@FreeBSD.org
Date: Mon, 23 Aug 2004 15:13:13 -0400
User-Agent: KMail/1.6.2
References: <412652AA.5020308@coverity.com>
	<20040821131924.U34847@mp2.macomnet.net>
	<20040821150427.O35076@mp2.macomnet.net>
In-Reply-To: <20040821150427.O35076@mp2.macomnet.net>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <200408231513.14014.jhb@FreeBSD.org>
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on server.baldwin.cx
cc: hackers@FreeBSD.org
cc: Ted Unangst <tedu@coverity.com>
Subject: Re: off by one bounds
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Aug 2004 21:26:31 -0000

On Saturday 21 August 2004 07:07 am, Maxim Konovalov wrote:
> On Sat, 21 Aug 2004, 13:19+0400, Maxim Konovalov wrote:
> > On Sat, 21 Aug 2004, 05:00-0400, Skip Ford wrote:
> > > Maxim Konovalov wrote:
> > > > On Fri, 20 Aug 2004, 12:36-0700, Ted Unangst wrote:
> > > >> errors in freebsd 4.10 found by Coverity's analysis.
> > > >>
> > > >> ip_icmp.c:ip_next_mtu, i == sizeof, dir >= 0
> > > >
> > > > If i == sizeof then mtutab[i] == 0
> > >
> > > If "i == sizeof" then mtutab[i] is out of bounds, off by one.
> > > There is no mtutab[sizeof mtutab / sizeof mtutab[0]].
> > >
> > > This isn't specific to RELENG_4
>
> After the second thought I still think it is not a error.  mtu is
> always >= than the minimal value in mtutab[] that is why i is always
> less than (sizeof mtutab) / sizeof mtutab[0]).  What do you think?

It's better to fix the code so it doesn't break on unexpected inputs. :)

-- 
John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org