Subject: Re: Making counts and lengths unsigned
To: None <tls@rek.tjls.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-kern
Date: 04/14/2006 00:36:46
On Thu, 13 Apr 2006 22:16:59 -0400, Thor Lancelot Simon <tls@rek.tjls.com>
wrote:

> Coverity has turned up a number of "can't happen" bugs involving
> counts or lengths in the kernel going negative -- code that
> tests for buf.b_bcount == 0, for instance, and thereafter assumes
> that it's greater than zero.
> 
> I propose to address the problem by making these members in our
> datastructures unsigned.  It's been pointed out that m.len might
> be another good candidate.
> 
> As far as I can tell there is no code in our system that ever
> assigns a negative value to m.len or buf.b_bcount; and there is
> certainly code that would severely misbehave if it ever encountered
> a buf in that state (I am not familiar enough with the network
> code to be able to say the same thing about an mbuf).  Does anyone
> have any compelling reason why I should _not_ do this?
> 
Nothing uses -1 as a flag?  You've grepped it, not me, but that's the case
I'd wonder about.


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb