[Bug c/27180] New: pointer arithmetic overflow handling broken
felix-gcc at fefe dot de
gcc-bugzilla@gcc.gnu.org
Mon Apr 17 02:19:00 GMT 2006
I have this function:
static inline int range_ptrinbuf(const void* buf,unsigned long len,const void*
ptr) {
register const char* c=(const char*)buf;
return (c && c+len>c && (const char*)ptr-c<len);
}
I tested it with this test:
assert(range_ptrinbuf(buf,(unsigned long)-1,buf+1)==0);
With gcc 3.4.5, this passes (with and without optimization).
With gcc 4.1.0, this fails. I put in a printf to see if any of the values is
incorrectly calculated -- it's "c+len>c" that incorrectly returns 0. This is
with and without optimizer.
This is very bad because this kind of check is used to do security checks when
validating data from incoming network packets. I was planning to use this
function to check data in incoming SMB packets. This bug causes all kinds of
well-meaning security checks to silently fail. I also compiled Samba and my
Linux kernel with gcc 4.1. I'm feeling very uncomfortable now. Please release
a fixed gcc version ASAP!
--
Summary: pointer arithmetic overflow handling broken
Product: gcc
Version: 4.1.0
Status: UNCONFIRMED
Severity: blocker
Priority: P3
Component: c
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: felix-gcc at fefe dot de
GCC build triplet: i686-pc-linux-gnu
GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=27180
More information about the Gcc-bugs
mailing list