Date: 27 Jul 1998 23:16:50 +0200 From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) To: hackers@FreeBSD.ORG Subject: One for the Bruce filter... Message-ID: <xzpemv7570d.fsf@hrotti.ifi.uio.no>
next in thread | raw e-mail | index | archive | help
A thread on BUGTRAQ pointed me to this one. In readv() in
/sys/kern/sys_generic.h, there is the following piece of code:
auio.uio_resid = 0;
for (i = 0; i < uap->iovcnt; i++) {
auio.uio_resid += iov->iov_len;
if (auio.uio_resid < 0) {
error = EINVAL;
goto done;
}
iov++;
}
However, iov->iov_vlen is a size_t, so it doesn't make sense to check
auio.uio_resid for a negative value (unless that's your idea of
detecting arithmetic overflow). Since auio.uio_resid is apparently
being used as a byte count ("resid" is a wonderfully descriptive name,
isn't it?), it should probably be a size_t, not an int. Anyway, the
net result is that readv() returns EINVAL when it shouldn't, namely
when the sum of the sizes of your data chunks exceeds 2^31 - 1.
BTW, struct iovec and struct uio are in /usr/include/sys/uio.h.
DES
--
Dag-Erling Smørgrav - dag-erli@ifi.uio.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpemv7570d.fsf>