From owner-freebsd-net@FreeBSD.ORG Sun Nov 27 16:24:32 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 507E01065675; Sun, 27 Nov 2011 16:24:32 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (relay04.stack.nl [IPv6:2001:610:1108:5010::107]) by mx1.freebsd.org (Postfix) with ESMTP id E27F08FC15; Sun, 27 Nov 2011 16:24:31 +0000 (UTC) Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id 405041DD627; Sun, 27 Nov 2011 17:24:31 +0100 (CET) Received: by snail.stack.nl (Postfix, from userid 1677) id 1909528468; Sun, 27 Nov 2011 17:24:31 +0100 (CET) Date: Sun, 27 Nov 2011 17:24:31 +0100 From: Jilles Tjoelker To: Alexander Best Message-ID: <20111127162430.GA95971@stack.nl> References: <20111127154536.GA54043@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20111127154536.GA54043@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org Subject: Re: possible array out of bounds access in sys/netinet/sctp_output.c X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2011 16:24:32 -0000 On Sun, Nov 27, 2011 at 03:45:36PM +0000, Alexander Best wrote: > i've been playing with clang tot and noticed the following error: > /usr/local/bin/clang -c -O3 -pipe -fno-inline-functions -fno-strict-aliasing -march=core2 -std=c99 -g -fdiagnostics-show-option -fformat-extensions -Wall -Wcast-qual -Winline -Wmissing-include-dirs -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wredundant-decls -Wstrict-prototypes -Wundef -Wno-pointer-sign -nostdinc -I. -I/usr/git-freebsd-head/sys -I/usr/git-freebsd-head/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-omit-frame-pointer -mno-aes -mno-avx -mcmodel=kernel -mno-red-zone -mno-mmx -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -Wno-error=tautological-compare -Wno-error=shift-count-negative -Wno-error=shift-count-overflow -Wno-error=shift-overflow -Wno-error=conversion -Wno-error=empty-body -Wno-error=gnu-designator -Wno-error=format -Wno-error=format-invalid-specifier -Wno-error=format-extra-args -Werror /usr/git-freebsd-head/sys/netinet/sctp_output.c > clang: warning: argument unused during compilation: '-fformat-extensions' > /usr/git-freebsd-head/sys/netinet/sctp_output.c:4685:2: error: array index 1 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds] > sup_addr->addr_type[1] = htons(SCTP_IPV6_ADDRESS); > ^ ~ > /usr/git-freebsd-head/sys/netinet/sctp_header.h:84:2: note: array 'addr_type' declared here > uint16_t addr_type[SCTP_ARRAY_MIN_LEN]; /* array of supported address > ^ > 1 error generated. > *** Error code 1 > > Stop in /usr/obj/usr/git-freebsd-head/sys/GENERIC. > *** Error code 1 > > Stop in /usr/git-freebsd-head. > *** Error code 1 > > Stop in /usr/git-freebsd-head. > this is from a GENERIC kernel build (so INET + INET6) for amd64. is this a > false positive, or is length(sup_addr->addr_type) really == 1, thus making > sup_addr->addr_type[1] an illegal access? This is the fairly common construct of a variable-length array at the end of a struct. With C89, this was not allowed but defining one element and allocating more elements worked in most implementations. C99 recognized this need and created a way to do it, which looks like uint16_t addr_type[];. This adds any necessary padding and allows access to however many elements have been allocated. Also, if it is not at the end of a struct it is an error. Using this new construct requires code changes because some code such as fairly close to the error message relies on the size of the one element already in the struct. -- Jilles Tjoelker