PATCH: ctdb: buffer write beyond limits
douglas.bagnall at catalyst.net.nz
Wed Feb 20 21:58:48 UTC 2019
I haven't been following this thread, but your simple maths seems wrong.
> the code is right if the following facts are taken into account.
> 1. MAX_SIGNED_INT = MAX_UNSIGNED_INT/2 - 1
No, not if by MAX_(UN)SIGNED_INT you mean (U)INT_MAX, which are often
2 ** 32 - 1 and 2 ** 31 - 1, or 4294967295 and 2147483647.
4294967295 / 2 - 1 = 2147483646, which is one less than INT_MAX, not 2.
> 2. length is defined as unsigned int and will get assigned at most MAX_SIGNED_INT(num_ready)
> 3. offset is initially zero and will only grow as much as length is shrinking (=>code)
> => therefore, offset + length are at most MAX_SIGNED_INT. Guaranteed !
> 4. If then another (guaranteed positive) signed integer (here num_ready) is added we simply
> cannot overflow an unsigned int because
> MAX_SIGNED_INT + MAX_SIGNED_INT = MAX_UNSIGNED_INT - 2
2147483647 + 2147483647 = 4294967294.
That's UINT_MAX - 1.
> Taken those simple maths into account, I hope you can agree to the code.
I still haven't looked at the code.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the samba-technical