Re: On NULL and 0

2007-03-13 Thread Tom Truscott 
 >  Zero is completely acceptable for a null pointer constant in all 
 > circumstances *except* when passing to a varargs function, which can go 
 > badly wrong on platforms where the sizeof a pointer is larger than the 
 > sizeof an int.

This is a serious loophole on such platforms, since the compiler cannot 
diagnose the error. (The "sentinel" attribute covers only one special case.)  
Our approach has been to ask compiler vendors to widen such integer arguments 
to intptr_t (or uintptr_t), which is happily doable since the vendors are 
already passing `int' arguments in intptr-wide registers or stack slots.  A 
couple vendors only gave us a secret option for this, we are now asking them to 
enable the option by default :-)

This is also a problem when passing to a function whose prototype is not in 
scope.  (Compilers can issue a diagnostic for that, but they should also widen 
in such cases as well.)

Tom Truscott

Re: US-CERT Vulnerability Note VU#162289

2008-04-07 Thread Tom Truscott 
Here is an unintended bug I encountered recently, hopefully the "cert" warning 
will catch this one too.

   int okay_to_increment (int i)
   {
  if (i + 1 < i)
return 0;  /* adding 1 would cause overflow */
  return 1;/* adding 1 is safe */
   }

Any sort of bug can cause a security vulnerability, so I recommend that gcc 
developers work harder on warning messages.

Tom Truscott

RE: US-CERT Vulnerability Note VU#162289

2008-04-07 Thread Tom Truscott 
Oops, sorry!  That is a very nice warning (apparently in gcc newer than 4.2).

-Original Message-
From: Ian Lance Taylor [mailto:[EMAIL PROTECTED]
Sent: Monday, April 07, 2008 4:40 PM
To: Tom Truscott
Cc: gcc@gcc.gnu.org
Subject: Re: US-CERT Vulnerability Note VU#162289

Tom Truscott <[EMAIL PROTECTED]> writes:

> Here is an unintended bug I encountered recently, hopefully the "cert" 
> warning will catch this one too.
>
>int okay_to_increment (int i)
>{
>   if (i + 1 < i)
> return 0;  /* adding 1 would cause overflow */
>   return 1;/* adding 1 is safe */
>}
>
> Any sort of bug can cause a security vulnerability, so I recommend that gcc 
> developers work harder on warning messages.

I can't tell whether you are joking or not, but as it happens we
already warn about this case with -Wall:

foo.c: In function ‘okay_to_increment’:
foo.c:3: warning: assuming signed overflow does not occur when assuming that (X 
+ c) < X is always false

Ian