Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 31 Jan 2016 18:20:50 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 206804] Inconsistent type handling for sizes in sbuf code
Message-ID:  <bug-206804-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206804

            Bug ID: 206804
           Summary: Inconsistent type handling for sizes in sbuf code
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: cturt@hardenedbsd.org

Definition of `struct sbuf` in `/sys/sys/sbuf.h`:

struct sbuf {
        char            *s_buf;         /* storage buffer */
        sbuf_drain_func *s_drain_func;  /* drain function */
        void            *s_drain_arg;   /* user-supplied drain argument */
        int              s_error;       /* current error code */
        ssize_t          s_size;        /* size of storage buffer */
        ssize_t          s_len;         /* current length of string */
#define SBUF_FIXEDLEN   0x00000000      /* fixed length buffer (default) */
#define SBUF_AUTOEXTEND 0x00000001      /* automatically extend buffer */
#define SBUF_INCLUDENUL 0x00000002      /* nulterm byte is counted in len */
#define SBUF_USRFLAGMSK 0x0000ffff      /* mask of flags the user may speci=
fy
*/
#define SBUF_DYNAMIC    0x00010000      /* s_buf must be freed */
#define SBUF_FINISHED   0x00020000      /* set by sbuf_finish() */
#define SBUF_DYNSTRUCT  0x00080000      /* sbuf must be freed */
#define SBUF_INSECTION  0x00100000      /* set by sbuf_start_section() */
        int              s_flags;       /* flags */
        ssize_t          s_sect_len;    /* current length of section */
};

All sizes and lengths, such as `s_size`, are of type `ssize_t`.

However some functions in `sys/kern/subr_sbuf.c` incorrectly treat these si=
zes
as `int` which could lead to unexpected truncation on platforms where
`sizeof(int)` !=3D=3D `sizeof(ssize_t)`:

struct sbuf *
sbuf_new(struct sbuf *s, char *buf, int length, int flags)
{
    ...
    sbuf_newbuf(s, buf, length, flags);
    ...
}

static struct sbuf *
sbuf_newbuf(struct sbuf *s, char *buf, int length, int flags)
{
    ...
    s->s_size =3D length;
    ...
}

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206804-8>