Subject: Re: Making counts and lengths unsigned
To: None <tls@rek.tjls.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-kern
Date: 04/14/2006 00:36:46
On Thu, 13 Apr 2006 22:16:59 -0400, Thor Lancelot Simon <tls@rek.tjls.com>
wrote:
> Coverity has turned up a number of "can't happen" bugs involving
> counts or lengths in the kernel going negative -- code that
> tests for buf.b_bcount == 0, for instance, and thereafter assumes
> that it's greater than zero.
>
> I propose to address the problem by making these members in our
> datastructures unsigned. It's been pointed out that m.len might
> be another good candidate.
>
> As far as I can tell there is no code in our system that ever
> assigns a negative value to m.len or buf.b_bcount; and there is
> certainly code that would severely misbehave if it ever encountered
> a buf in that state (I am not familiar enough with the network
> code to be able to say the same thing about an mbuf). Does anyone
> have any compelling reason why I should _not_ do this?
>
Nothing uses -1 as a flag? You've grepped it, not me, but that's the case
I'd wonder about.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb