Le 02/02/2014 16:56, Taylor R Campbell a écrit :
Date: Sun, 02 Feb 2014 16:43:49 +0100
From: Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>
Even functions like calloc(3) are not required to check for the overflow
themselves when you pass them (number of elements, sizeof elements).
Overflow checks are rather cumbersome in C...
Calloc(3) may not check, but we could define the semantics of
kmem_calloc to guarantee an overflow check in order to make it less
cumbersome for callers.
Yep, right.We are a bit sliding away from the original swap32 compat code from Emmanuel though :)
In this case I would leave the overflow checks, as this is not a real performance critical path. It is more a matter of avoiding errors by cargo cult programming if the code gets copy/pasted elsewhere but not adapted correctly.
I think that implementing "integer overflow" checks in kernel (and also userland) functions requires to be thought about more thoroughly. It is inconvenient to have APIs with some that do's and some that don'ts.
Cheers, -- Jean-Yves Migeon