[Drbd-dev] integer overflow in dagtag_newer_eq(0, 1ULL<<63)

Lars Ellenberg lars.ellenberg at linbit.com
Wed Jun 12 16:06:15 CEST 2019


On Wed, Jun 05, 2019 at 10:01:27AM -0600, David Butterfield wrote:
> drbd_sender.c:maybe_send_unplug_remote() can assign (1ULL << 63) to unplug_dagtag_sector[i]:
> 
> 1674                 connection->todo.unplug_dagtag_sector[connection->todo.unplug_slot] =
> 1675                         connection->send.current_dagtag_sector + (1ULL << 63);
> 
> Later it reaches dagtag_newer_eq(0, unplug_dagtag_sector[i]) which converts its arguments to
> signed before subtracting.
> 
> 272 #define dagtag_newer_eq(a,b)      \
> 273         (typecheck(u64, a) && \
> 274          typecheck(u64, b) && \
> 275         ((s64)(a) - (s64)(b) >= 0))
> 
> But (signed)(1ULL << 63) is the maximum negative integer, and the value of
> (0 - (signed)(1ULL << 63)) cannot be represented.  So the subtraction ends in integer overflow.
> 
> drbd_sender.c:1660:9: runtime error: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long i

I don't care ;-)
but we can add in a -1, if it makes the world a better place


    Lars



More information about the drbd-dev mailing list