From owner-freebsd-bugs Sat Apr 24 12: 3:52 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9]) by hub.freebsd.org (Postfix) with ESMTP id 211A414BE0; Sat, 24 Apr 1999 12:03:48 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id FAA14238; Sun, 25 Apr 1999 05:03:43 +1000 Date: Sun, 25 Apr 1999 05:03:43 +1000 From: Bruce Evans Message-Id: <199904241903.FAA14238@godzilla.zeta.org.au> To: ache@FreeBSD.ORG, dada@sbox.tu-graz.ac.at, freebsd-bugs@FreeBSD.ORG Subject: Re: kern/11252: lite2 bugfixes missing in kern/uipc_socket.c Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >State-Changed-From-To: open->closed >State-Changed-By: ache >State-Changed-When: Sat Apr 24 11:30:23 PDT 1999 >State-Changed-Why: >Lite2 fixes and tcp_usrreq.c undone applied. >short->int transition is out of my scope. The Lite2 fix for the SO_*TIMEO range checking is not good. It replaces an honest but too strict attempt to prevent overflow with a classic bug (test for overflow after fatal overflow may have occurred). I've been using the following (over engineered) fix for a year or two but haven't verified that it fixes more than it breaks (if anything). The Lite2 test is simpler and may be good enough in practice since requesting preposterous timeouts to defeat the overflow test probably only harms the requester. Bruce diff -c2 uipc_socket.c~ uipc_socket.c *** uipc_socket.c~ Wed Feb 17 19:48:23 1999 --- uipc_socket.c Wed Feb 17 19:48:25 1999 *************** *** 956,960 **** struct linger l; struct timeval tv; ! short val; error = 0; --- 955,959 ---- struct linger l; struct timeval tv; ! u_long val; error = 0; *************** *** 1050,1058 **** goto bad; ! if (tv.tv_sec > SHRT_MAX / hz - hz) { error = EDOM; goto bad; } - val = tv.tv_sec * hz + tv.tv_usec / tick; switch (sopt->sopt_name) { --- 1049,1065 ---- goto bad; ! /* assert(hz > 0); */ ! if (tv.tv_sec < 0 || tv.tv_sec > SHRT_MAX / hz || ! tv.tv_usec < 0 || tv.tv_usec >= 1000000) { ! error = EDOM; ! goto bad; ! } ! /* assert(tick > 0); */ ! /* assert(ULONG_MAX - SHRT_MAX >= 1000000); */ ! val = (u_long)(tv.tv_sec * hz) + tv.tv_usec / tick; ! if (val > SHRT_MAX) { error = EDOM; goto bad; } switch (sopt->sopt_name) { To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message