Subject: Re: Performance of various memcpy()'s
To: Ignatios Souvatzis <is@netbsd.org>
From: Bang Jun-Young <junyoung@mogua.com>
List: tech-userlevel
Date: 10/29/2002 12:01:23
On Mon, Oct 28, 2002 at 09:24:11PM +0100, Ignatios Souvatzis wrote:
> Hi,
> 
> On Mon, Oct 28, 2002 at 04:41:55PM +0900, Bang Jun-Young wrote:
> 
> > Along with this change, I'd like to get rid of _DIAGNOSTIC stuff as well.
> > I don't understand why there's such a pointer wraparound check, since
> > the memcpy(3) clearily says "use memmove() for overlap case."
> 
> Thats a different issue. There have been pointer wraparound attacks to
> network daemons known to call memcpy(), a couple of months ago.

That check is only compiled in if _DIAGNOSTIC is defined at compile
time. Obviously it has nothing to do with protecting system from
attackers.

I'm not sure what it is intended to do either. In memmove():

	movl	20(%esp),%ecx

	...

	addl	%ecx,%edi	/* copy backwards. */
	addl	%ecx,%esi

#ifdef _DIAGNOSTIC
	cmpl	12(%esp),%edi
	jae	2f
	... (call assert)
2:
	cmpl	16(%esp),%esi
	jae	3f
	... (call assert)
3:
#endif /* _DIAGNOSTIC */

Unless %ecx is a negative, %edi and %esi are always larger than 12(%esp)
and 16(%esp), respectively. Calling assert is even more strange;
"src + length > src" string is passed to assert on dst check, and
"dst + length > dst" on src check. What kind of error can it detect
after all?

Jun-Young

-- 
Bang Jun-Young <junyoung@mogua.com>