From owner-freebsd-hackers@FreeBSD.ORG  Thu Apr 17 00:40:15 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 34B3637B401
	for <FreeBSD-hackers@FreeBSD.org>;
	Thu, 17 Apr 2003 00:40:15 -0700 (PDT)
Received: from Danovitsch.dnsq.org (b74143.upc-b.chello.nl [212.83.74.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 52CCA43FA3
	for <FreeBSD-hackers@FreeBSD.org>;
	Thu, 17 Apr 2003 00:40:13 -0700 (PDT)
	(envelope-from Danovitsch@Vitsch.net)
Received: from FreeBSD.Danovitsch.LAN (b83007.upc-b.chello.nl [212.83.83.7])
	by Danovitsch.dnsq.org (8.12.3p2/8.11.3) with ESMTP id h3H7ZGCR045912
	for <FreeBSD-hackers@FreeBSD.org>;
	Thu, 17 Apr 2003 09:35:17 +0200 (CEST)
	(envelope-from Danovitsch@Vitsch.net)
Content-Type: text/plain;
  charset="iso-8859-1"
From: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net>
Date: Thu, 17 Apr 2003 09:41:53 +0200
User-Agent: KMail/1.4.3
To: FreeBSD-hackers@FreeBSD.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200304170941.53069.Danovitsch@Vitsch.net>
Subject: kern/51074: pointer arithmatic error in ugen.c
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2003 07:40:15 -0000

Hi,

I have just submitted ker/51074: pointer arithmatic error in ugen.c
( http://www.FreeBSD.org/cgi/query-pr.cgi?pr=3Dkern%2F51074 )
with this description :

I believe there is a pointer arithmatic error in line 965 of ugen.c .
The entire piece of code reads :

961:    /* throw away oldest input if the buffer is full */
962:    if(sce->fill < sce->cur && sce->cur <=3D sce->fill + count) {
963:            sce->cur +=3D count;
964:            if(sce->cur >=3D sce->limit)
965:                    sce->cur =3D sce->ibuf + (sce->limit - sce->cur);
966:            DPRINTFN(5, ("ugen_isoc_rintr: throwing away %d bytes\n",
967:                        count));
978:    }

count gets added to sce->cur .
if the pointer equals/exceeds the end of the buffer, we move it to the
beginnen of the buffer (plus the X bytes it was past the end).

If sce->cur exceeds sce->limit, (sce->cur - sce->limit) would be a negati=
ve
value. (resulting in a sce->cur pointer sitting X bytes before the beginn=
ing
of the buffer)
-- end --

Could someone please check if I'm correct and apply the patch?

ps: thanks to some mailing-weirdness the pr is marked confidential, which=
 it=20
shouldn't have been.. :S

thanks,
Daan