* Ingo Molnar <[email protected]> wrote:
>
> * Ingo Molnar <[email protected]> wrote:
>
> > 2)
> >
> > Another problem is that strlcpy() will also happily do bad stuff if we pass
> > it a negative size. Instead of that we will from now on print a (one time)
> > warning and return safely.
>
> Hm, so this check is buggy, as 'size_t' is unsigned - and for some reason GCC
> didn't warn about the never-met comparison and the resulting unreachable dead
> code here:
>
> > + /* Overflow check: */
> > + if (unlikely(dest_size < 0)) {
> > + WARN_ONCE(1, "strlcpy(): dest_size < 0 underflow!");
> > + return strlen(src);
> > + }
>
> which is annoying.
>
> Would people object to something like:
>
> > + /* Overflow check: */
> > + if (unlikely((ssize_t)dest_size < 0)) {
> > + WARN_ONCE(1, "strlcpy(): dest_size < 0 underflow!");
> > + return strlen(src);
> > + }
>
> ?
>
> As I doubt it's legit to have larger than 2GB strings.
>
> Also, I'm wondering why GCC didn't warn.
Hm, so GCC (v4.9.2) will only warn about this bug if -Wtype-limits is enabled
explicitly:
lib/string.c: In function ‘strlcpy’:
lib/string.c:228:32: warning: comparison of unsigned expression < 0 is always
false [-Wtype-limits]
if (unlikely((size_t)dst_size < 0)) {
^
... which we don't do in the kernel.
Has anyone considered enabling -Wtype-limits? It seems to catch real bugs.
I can see there are patches that enable -Wextra (which enables -Wtype-limits
and
many other warnings), but it would be more manageable to just enable one such
warning at a time.
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
