integer overflow check
Alan Coopersmith
alan.coopersmith at oracle.com
Mon Dec 15 15:30:03 PST 2014
On 12/15/14 03:17 PM, jes at posteo.de wrote:
> Am 15.12.2014 23:49 schrieb Julien Cristau:
>> As far as I can tell you're now reading stuff->count before checking
>> whether it's inside the request buffer?
>
> stuff->count does not change, so I'm just moving the overflow check
> to call the macro after the check.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
(((n) >> 2) >= client->req_len) || \
((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
The macro makes sure that the data in the buffer is at least as long
as the size of the struct we're casting it to, so that we don't read
uninitialized data (or data past the end of the buffer, potentially
off into unallocated or unmapped memory).
Until that happens (or the equivalent such as REQUEST_AT_LEAST_SIZE),
you don't know that stuff->count is valid to read a value from.
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list