This is the mail archive of the mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug c/27180] New: pointer arithmetic overflow handling broken

I have this function:

static inline int range_ptrinbuf(const void* buf,unsigned long len,const void*
ptr) {
  register const char* c=(const char*)buf;
  return (c && c+len>c && (const char*)ptr-c<len);

I tested it with this test:

assert(range_ptrinbuf(buf,(unsigned long)-1,buf+1)==0);

With gcc 3.4.5, this passes (with and without optimization).
With gcc 4.1.0, this fails.  I put in a printf to see if any of the values is
incorrectly calculated -- it's "c+len>c" that incorrectly returns 0.  This is
with and without optimizer.

This is very bad because this kind of check is used to do security checks when
validating data from incoming network packets.  I was planning to use this
function to check data in incoming SMB packets.  This bug causes all kinds of
well-meaning security checks to silently fail.  I also compiled Samba and my
Linux kernel with gcc 4.1.  I'm feeling very uncomfortable now.  Please release
a fixed gcc version ASAP!

           Summary: pointer arithmetic overflow handling broken
           Product: gcc
           Version: 4.1.0
            Status: UNCONFIRMED
          Severity: blocker
          Priority: P3
         Component: c
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: felix-gcc at fefe dot de
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]