Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 25 Apr 1999 05:03:43 +1000
From:      Bruce Evans <bde@zeta.org.au>
To:        ache@FreeBSD.ORG, dada@sbox.tu-graz.ac.at, freebsd-bugs@FreeBSD.ORG
Subject:   Re: kern/11252: lite2 bugfixes missing in kern/uipc_socket.c
Message-ID:  <199904241903.FAA14238@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help 
>State-Changed-From-To: open->closed
>State-Changed-By: ache
>State-Changed-When: Sat Apr 24 11:30:23 PDT 1999
>State-Changed-Why: 
>Lite2 fixes and tcp_usrreq.c undone applied.
>short->int transition is out of my scope.

The Lite2 fix for the SO_*TIMEO range checking is not good.  It replaces
an honest but too strict attempt to prevent overflow with a classic bug
(test for overflow after fatal overflow may have occurred).

I've been using the following (over engineered) fix for a year or two
but haven't verified that it fixes more than it breaks (if anything).
The Lite2 test is simpler and may be good enough in practice since
requesting preposterous timeouts to defeat the overflow test probably
only harms the requester.

Bruce

diff -c2 uipc_socket.c~ uipc_socket.c
*** uipc_socket.c~	Wed Feb 17 19:48:23 1999
--- uipc_socket.c	Wed Feb 17 19:48:25 1999
***************
*** 956,960 ****
  	struct	linger l;
  	struct	timeval tv;
! 	short	val;
  
  	error = 0;
--- 955,959 ----
  	struct	linger l;
  	struct	timeval tv;
! 	u_long	val;
  
  	error = 0;
***************
*** 1050,1058 ****
  				goto bad;
  
! 			if (tv.tv_sec > SHRT_MAX / hz - hz) {
  				error = EDOM;
  				goto bad;
  			}
- 			val = tv.tv_sec * hz + tv.tv_usec / tick;
  
  			switch (sopt->sopt_name) {
--- 1049,1065 ----
  				goto bad;
  
! 			/* assert(hz > 0); */
! 			if (tv.tv_sec < 0 || tv.tv_sec > SHRT_MAX / hz ||
! 			    tv.tv_usec < 0 || tv.tv_usec >= 1000000) {
! 				error = EDOM;
! 				goto bad;
! 			}
! 			/* assert(tick > 0); */
! 			/* assert(ULONG_MAX - SHRT_MAX >= 1000000); */
! 			val = (u_long)(tv.tv_sec * hz) + tv.tv_usec / tick;
! 			if (val > SHRT_MAX) {
  				error = EDOM;
  				goto bad;
  			}
  
  			switch (sopt->sopt_name) {


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904241903.FAA14238>