Date: Sun, 25 Apr 1999 05:03:43 +1000 From: Bruce Evans <bde@zeta.org.au> To: ache@FreeBSD.ORG, dada@sbox.tu-graz.ac.at, freebsd-bugs@FreeBSD.ORG Subject: Re: kern/11252: lite2 bugfixes missing in kern/uipc_socket.c Message-ID: <199904241903.FAA14238@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>State-Changed-From-To: open->closed >State-Changed-By: ache >State-Changed-When: Sat Apr 24 11:30:23 PDT 1999 >State-Changed-Why: >Lite2 fixes and tcp_usrreq.c undone applied. >short->int transition is out of my scope. The Lite2 fix for the SO_*TIMEO range checking is not good. It replaces an honest but too strict attempt to prevent overflow with a classic bug (test for overflow after fatal overflow may have occurred). I've been using the following (over engineered) fix for a year or two but haven't verified that it fixes more than it breaks (if anything). The Lite2 test is simpler and may be good enough in practice since requesting preposterous timeouts to defeat the overflow test probably only harms the requester. Bruce diff -c2 uipc_socket.c~ uipc_socket.c *** uipc_socket.c~ Wed Feb 17 19:48:23 1999 --- uipc_socket.c Wed Feb 17 19:48:25 1999 *************** *** 956,960 **** struct linger l; struct timeval tv; ! short val; error = 0; --- 955,959 ---- struct linger l; struct timeval tv; ! u_long val; error = 0; *************** *** 1050,1058 **** goto bad; ! if (tv.tv_sec > SHRT_MAX / hz - hz) { error = EDOM; goto bad; } - val = tv.tv_sec * hz + tv.tv_usec / tick; switch (sopt->sopt_name) { --- 1049,1065 ---- goto bad; ! /* assert(hz > 0); */ ! if (tv.tv_sec < 0 || tv.tv_sec > SHRT_MAX / hz || ! tv.tv_usec < 0 || tv.tv_usec >= 1000000) { ! error = EDOM; ! goto bad; ! } ! /* assert(tick > 0); */ ! /* assert(ULONG_MAX - SHRT_MAX >= 1000000); */ ! val = (u_long)(tv.tv_sec * hz) + tv.tv_usec / tick; ! if (val > SHRT_MAX) { error = EDOM; goto bad; } switch (sopt->sopt_name) { To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904241903.FAA14238>