Jesper Juhl <[email protected]> wrote:
>
> If a sufficiently large 'num' is passed to the function, the for loop
> becomes an infinite loop - as far as I can see, that's a bug waiting to
> happen. Sure, 'len' in struct poll_list is currently an int, so currently
> this can't happen, but that might change in the future. In my oppinion,
> a function should be able to function correctly with the complete range
> of values that can potentially be passed via its parameters, and without
> the patch below that's just not true for this function.
>
> Signed-off-by: Jesper Juhl <[email protected]>
>
> --- linux-2.6.12-rc2-mm3-orig/fs/select.c 2005-04-05 21:21:47.000000000 +0200
> +++ linux-2.6.12-rc2-mm3/fs/select.c 2005-04-24 01:11:13.000000000 +0200
> @@ -397,7 +397,7 @@ struct poll_list {
> static void do_pollfd(unsigned int num, struct pollfd * fdpage,
> poll_table ** pwait, int *count)
> {
> - int i;
> + unsigned int i;
>
> for (i = 0; i < num; i++) {
> int fd;
An expression such as the above which mixes signed and unsigned types will
promote the signed types to unsigned. So there is no bug in the above
`for' statement.
But there's a bug a bit further on:
> unsigned int mask;
> struct pollfd *fdp;
>
> mask = 0;
> fdp = fdpage+i;
This will oops the kernel if there are more than 2^31 pollfd's at *fdpage.
Yes, like most signed variables in the kernel, `i' should really be
unsigned, but I don't think it's worth raising a patch to change it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]