From owner-freebsd-hackers  Mon Jul 27 14:17:44 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA11057
          for freebsd-hackers-outgoing; Mon, 27 Jul 1998 14:17:44 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from ifi.uio.no (0@ifi.uio.no [129.240.64.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA11036
          for <hackers@FreeBSD.ORG>; Mon, 27 Jul 1998 14:17:31 -0700 (PDT)
          (envelope-from dag-erli@ifi.uio.no)
Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15])
	by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id XAA16334
	for <hackers@FreeBSD.ORG>; Mon, 27 Jul 1998 23:16:51 +0200 (MET DST)
Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Mon, 27 Jul 1998 23:16:51 +0200 (MET DST)
Mime-Version: 1.0
To: hackers@FreeBSD.ORG
Subject: One for the Bruce filter...
Organization: University of Oslo, Department of Informatics
X-url: http://www.stud.ifi.uio.no/~dag-erli/
X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list
X-disclaimer-1: The views expressed in this article are mine alone, and do
X-disclaimer-2: not necessarily coincide with those of any organisation or
X-disclaimer-3: company with which am or have been affiliated.
X-Stop-Spam: http://www.cauce.org/
From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= )
Date: 27 Jul 1998 23:16:50 +0200
Message-ID: <xzpemv7570d.fsf@hrotti.ifi.uio.no>
Lines: 26
X-Mailer: Gnus v5.5/Emacs 19.34
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id OAA11041
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

A thread on BUGTRAQ pointed me to this one. In readv() in
/sys/kern/sys_generic.h, there is the following piece of code:

        auio.uio_resid = 0;
        for (i = 0; i < uap->iovcnt; i++) {
                auio.uio_resid += iov->iov_len;
                if (auio.uio_resid < 0) {
                        error = EINVAL;
                        goto done;
                }
                iov++;
        }

However, iov->iov_vlen is a size_t, so it doesn't make sense to check
auio.uio_resid for a negative value (unless that's your idea of
detecting arithmetic overflow). Since auio.uio_resid is apparently
being used as a byte count ("resid" is a wonderfully descriptive name,
isn't it?), it should probably be a size_t, not an int. Anyway, the
net result is that readv() returns EINVAL when it shouldn't, namely
when the sum of the sizes of your data chunks exceeds 2^31 - 1.

BTW, struct iovec and struct uio are in /usr/include/sys/uio.h.

DES
-- 
Dag-Erling Smørgrav - dag-erli@ifi.uio.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message