|
| From: | Daniel Elstner |
| Subject: | [lwip-devel] [bug #51538] Don't use signed types when overflow is expected |
| Date: | Sat, 22 Jul 2017 10:02:15 -0400 (EDT) |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36 |
URL:
<http://savannah.nongnu.org/bugs/?51538>
Summary: Don't use signed types when overflow is expected
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: danielk
Submitted on: Sat 22 Jul 2017 04:02:14 PM CEST
Category: None
Severity: 3 - Normal
Item Group: Change Request
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
I just noticed that commit f3c860958fbea544e9e1e4222339a1373dcbf3b6
"-Wconversion (still far from finished) and other minor compilation fixes..."
changes some types from unsigned to signed.
Some of these are in code I wrote in sntp.c:
- #define DIFF_SEC_1970_2036 ((u32_t)2085978496L)
+ #define DIFF_SEC_1970_2036 ((s32_t)2085978496L)
- ut = (u32_t)((u32_t)sec + DIFF_SEC_1970_2036);
+ ut = (time_t)((time_t)sec + (time_t)DIFF_SEC_1970_2036);
The problem with these changes is that according to the C standard, any
overflow resulting from calculations on signed integer types leads to
undefined behavior. That is the reason why I put these convoluted casts to and
from unsigned in the code; as for unsigned integer types the C standard
defines modulo behavior in case of overflow.
The use of time_t in the calculations could also lead to wrong results due to
sign extension on platforms where time_t is a signed 64-bit integer.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?51538>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |