Subject: Re: bin/23362: usermod doesn't check for overflow of uid/gid
To: None <>
From: David Laight <>
List: netbsd-bugs
Date: 11/03/2003 20:03:42
> >Synopsis:       usermod doesn't check for overflow of uid/gid
> usermod uses atoi() to parse its arguments. atoi() shouldn't be used in
> *any* half-serious program because it has no defined indicator for any
> errors.
> >How-To-Repeat:
> # usermod -u 10000000000000 juser
> $ id juser
> uid=2147483647(juser) gid=1(users) groups=1(users)


In particular the last part of the paragraph which says:

    The ISO C standard requires that a C compiler must issue a diagnostic
    for constants that are too large to represent.  Most standard utilities
    are not required to issue these diagnostics; for example, the command:

	diff -C 2147483648 file1 file2

    has undefined behavior, and the diff utility is not required to issue a
    diagnostic even if the number 2147483648 cannot be represented.

So it isn't necessary to make every utility check for numeric input


David Laight: