Re: Suggestion on "int len" sanity

[Takashi Iwai]

At Fri, 3 Jun 2005 11:42:23 +0200 (CEST),
Geert Uytterhoeven wrote:
> 
> On Wed, 1 Jun 2005, Willy Tarreau wrote:
> > On Wed, Jun 01, 2005 at 09:06:33AM +0200, XIAO Gang wrote:
> > > I would like to make a security suggestion.
> > > 
> > > There are many length variables in the kernel, locally declared as "len" 
> > > or "length", either as "int", "unsigned int" or "size_t". However, 
> > > declaring a length as "int" leads easily to an erroneous situation, as 
> > > the author (or even a code checker) might make the implicite hypothesis 
> > > that the length is positive, so that it is enough to make a sanity check 
> > > of the kind
> > > 
> > > if (length > limit) ERROR;
> > > 
> > > which is not enough.
> > > 
> > > On the other hand, when a variable is named "len" or "length", it is 
> > > usually used for length and never should go negative. So could I suggest 
> > > that the declarations of these variables to be uniformized to "size_t", 
> > > via a gradual but sysmatic cleanup?
> > 
> > Probably true for most cases, but be careful of code which would use
> > -1 to report some errors if such thing exists.
> 
> In that case, use ssize_t.

In some cases, we may want to avoid [s]size_t because it varies on 32
and 64bit archs (e.g. ioctl parameters)...


Takashi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/