This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug c/27180] New: pointer arithmetic overflow handling broken
- From: "felix-gcc at fefe dot de" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 17 Apr 2006 02:19:22 -0000
- Subject: [Bug c/27180] New: pointer arithmetic overflow handling broken
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
I have this function:
static inline int range_ptrinbuf(const void* buf,unsigned long len,const void*
ptr) {
register const char* c=(const char*)buf;
return (c && c+len>c && (const char*)ptr-c<len);
}
I tested it with this test:
assert(range_ptrinbuf(buf,(unsigned long)-1,buf+1)==0);
With gcc 3.4.5, this passes (with and without optimization).
With gcc 4.1.0, this fails. I put in a printf to see if any of the values is
incorrectly calculated -- it's "c+len>c" that incorrectly returns 0. This is
with and without optimizer.
This is very bad because this kind of check is used to do security checks when
validating data from incoming network packets. I was planning to use this
function to check data in incoming SMB packets. This bug causes all kinds of
well-meaning security checks to silently fail. I also compiled Samba and my
Linux kernel with gcc 4.1. I'm feeling very uncomfortable now. Please release
a fixed gcc version ASAP!
--
Summary: pointer arithmetic overflow handling broken
Product: gcc
Version: 4.1.0
Status: UNCONFIRMED
Severity: blocker
Priority: P3
Component: c
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: felix-gcc at fefe dot de
GCC build triplet: i686-pc-linux-gnu
GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=27180