[Bug 206804] Inconsistent type handling for sizes in sbuf code

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jan 31 18:20:50 UTC 2016


            Bug ID: 206804
           Summary: Inconsistent type handling for sizes in sbuf code
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

Definition of `struct sbuf` in `/sys/sys/sbuf.h`:

struct sbuf {
        char            *s_buf;         /* storage buffer */
        sbuf_drain_func *s_drain_func;  /* drain function */
        void            *s_drain_arg;   /* user-supplied drain argument */
        int              s_error;       /* current error code */
        ssize_t          s_size;        /* size of storage buffer */
        ssize_t          s_len;         /* current length of string */
#define SBUF_FIXEDLEN   0x00000000      /* fixed length buffer (default) */
#define SBUF_AUTOEXTEND 0x00000001      /* automatically extend buffer */
#define SBUF_INCLUDENUL 0x00000002      /* nulterm byte is counted in len */
#define SBUF_USRFLAGMSK 0x0000ffff      /* mask of flags the user may specify
#define SBUF_DYNAMIC    0x00010000      /* s_buf must be freed */
#define SBUF_FINISHED   0x00020000      /* set by sbuf_finish() */
#define SBUF_DYNSTRUCT  0x00080000      /* sbuf must be freed */
#define SBUF_INSECTION  0x00100000      /* set by sbuf_start_section() */
        int              s_flags;       /* flags */
        ssize_t          s_sect_len;    /* current length of section */

All sizes and lengths, such as `s_size`, are of type `ssize_t`.

However some functions in `sys/kern/subr_sbuf.c` incorrectly treat these sizes
as `int` which could lead to unexpected truncation on platforms where
`sizeof(int)` !== `sizeof(ssize_t)`:

struct sbuf *
sbuf_new(struct sbuf *s, char *buf, int length, int flags)
    sbuf_newbuf(s, buf, length, flags);

static struct sbuf *
sbuf_newbuf(struct sbuf *s, char *buf, int length, int flags)
    s->s_size = length;

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list