[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #51447] Sequence number comparisons invoke undefined b
|
From: |
Ambroz Bizjak |
|
Subject: |
[lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior |
|
Date: |
Tue, 11 Jul 2017 18:19:33 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 |
URL:
<http://savannah.nongnu.org/bugs/?51447>
Summary: Sequence number comparisons invoke undefined
behavior
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: abizjak
Submitted on: Tue 11 Jul 2017 10:19:32 PM UTC
Category: TCP
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
See TCP_SEQ_LT and similar macros:
http://git.savannah.gnu.org/cgit/lwip.git/tree/src/include/lwip/priv/tcp_priv.h#n106
Two u32 are subtracted and the result is converted to s32. This is undefined
behavior when the value is not representable in s32.
Fixed code:
#define TCP_SEQ_LT(a,b) (((u32_t)(a) - (u32_t)(b)) >= 0x80000000u)
or
#define TCP_SEQ_LT(a,b) ((((u32_t)(a) - (u32_t)(b)) & 0x80000000u) != 0)
or
#define TCP_SEQ_LT(a,b) (((u32_t)(a) - (u32_t)(b)) >> 31)
In other words, a is less then b when the most significant bit in (a - b) mod
2^32 is set. One can see how this is exactly the same as the current
implementation except for the the lack of undefined behavior, considering twos
complement difference is the same thing as unsigned difference bitwise, and
the sign bit is the most significant bit.
And the others can be expressed in terms of this one:
#define TCP_SEQ_LEQ(a,b) (!(TCP_SEQ_LT(b,a)))
#define TCP_SEQ_GT(a,b) TCP_SEQ_LT(b,a)
#define TCP_SEQ_GEQ(a,b) TCP_SEQ_LEQ(b,a)
This is a theoretical bug, I chose "Crash Error" since it can in theory cause
a crash.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?51447>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior,
Ambroz Bizjak <=
- [lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior, Ambroz Bizjak, 2017/07/11
- [lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior, Stian Sebastian Skjelstad, 2017/07/12
- [lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior, Stian Sebastian Skjelstad, 2017/07/12
- [lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior, Ambroz Bizjak, 2017/07/12
- [lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior, Ambroz Bizjak, 2017/07/12
- [lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior, Valery Ushakov, 2017/07/13
- [lwip-devel] [bug #51447] Sequence number comparisons invoke undefined behavior, Ambroz Bizjak, 2017/07/13
- [lwip-devel] [bug #51447] Sequence number comparisons invoke implementation-defined behavior, Simon Goldschmidt, 2017/07/14
- [lwip-devel] [bug #51447] Sequence number comparisons invoke implementation-defined behavior, Simon Goldschmidt, 2017/07/14
- [lwip-devel] [bug #51447] Sequence number comparisons invoke implementation-defined behavior, Ambroz Bizjak, 2017/07/17