Date: Mon, 10 Nov 1997 20:02:39 -0800 (PST) From: "Jamil J. Weatherbee" <jamil@trojanhorse.ml.org> To: hackers@freebsd.org Subject: Possible Kernel Bug? Message-ID: <Pine.BSF.3.96.971110194629.1253A-100000@trojanhorse.ml.org>
next in thread | raw e-mail | index | archive | help
I may be dead wrong about this but it is worth a try: void *data; void *data_end; lets say you are passed a struct buf with a data buffer bp->b_data and bp->b_bcount = 1000; if you say data = bp->b_data /* this is fine */ what about data_end = bp->b_data + bp->b_bcount /* this pointer could point to something nonexistent??? */ so dereferencing it is definetly a no no (and that is not being done) but I see places where data compared to data_end , now since caddr_t is defined as , such as while (data < data_end) typedef char *caddr_t; which i assume is represented as a 32 bit unsigned integer are you guaranteed that the byte 0xffffffff is never allocated? this should be true in addition to 0x00000000 never being allocated.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971110194629.1253A-100000>