[Drbd-dev] integer overflow in dagtag_newer_eq(0, 1ULL<<63)
Lars Ellenberg
lars.ellenberg at linbit.com
Wed Jun 12 16:06:15 CEST 2019
On Wed, Jun 05, 2019 at 10:01:27AM -0600, David Butterfield wrote:
> drbd_sender.c:maybe_send_unplug_remote() can assign (1ULL << 63) to unplug_dagtag_sector[i]:
>
> 1674 connection->todo.unplug_dagtag_sector[connection->todo.unplug_slot] =
> 1675 connection->send.current_dagtag_sector + (1ULL << 63);
>
> Later it reaches dagtag_newer_eq(0, unplug_dagtag_sector[i]) which converts its arguments to
> signed before subtracting.
>
> 272 #define dagtag_newer_eq(a,b) \
> 273 (typecheck(u64, a) && \
> 274 typecheck(u64, b) && \
> 275 ((s64)(a) - (s64)(b) >= 0))
>
> But (signed)(1ULL << 63) is the maximum negative integer, and the value of
> (0 - (signed)(1ULL << 63)) cannot be represented. So the subtraction ends in integer overflow.
>
> drbd_sender.c:1660:9: runtime error: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long i
I don't care ;-)
but we can add in a -1, if it makes the world a better place
Lars
More information about the drbd-dev
mailing list