[Drbd-dev] integer overflow in dagtag_newer_eq(0, 1ULL<<63)
David Butterfield
dab21774 at gmail.com
Wed Jun 5 18:01:27 CEST 2019
drbd_sender.c:maybe_send_unplug_remote() can assign (1ULL << 63) to unplug_dagtag_sector[i]:
1674 connection->todo.unplug_dagtag_sector[connection->todo.unplug_slot] =
1675 connection->send.current_dagtag_sector + (1ULL << 63);
Later it reaches dagtag_newer_eq(0, unplug_dagtag_sector[i]) which converts its arguments to
signed before subtracting.
272 #define dagtag_newer_eq(a,b) \
273 (typecheck(u64, a) && \
274 typecheck(u64, b) && \
275 ((s64)(a) - (s64)(b) >= 0))
But (signed)(1ULL << 63) is the maximum negative integer, and the value of
(0 - (signed)(1ULL << 63)) cannot be represented. So the subtraction ends in integer overflow.
drbd_sender.c:1660:9: runtime error: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long i
More information about the drbd-dev
mailing list