From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 6D6D85A004F for ; Tue, 06 Aug 2024 03:22:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1722907322; bh=P3YtnCA0OZNhJTAw2yA7gjSw+Ugu0Rv7hW2LDv47rvw=; h=From:To:Cc:Subject:Date:From; b=kYe4MSAa5YprGJ5jlWVL90Zo9rCNVr56/DKMi4CiwZyQpsvxr+UtUCuiRuC0fPaUY 96ehhMH4iDuS6z8D/6hG1p9ZMRd9r5Njbr/bgNQrArel6Nm5qXEwUiFVNLxss3rbFw 8jx3Kotnf3t6TWhz456pTtSeo6tOvB3Wr0bC8gFvoQhmINuM1wdLdc5ciXR0r42Jqj yPJ3InD7QyzBzwflbnxC6r3oa2yOzG0Xlva4x0btav6o1UloriqL1egeUabVfLcCnO XDwP1X58BunGLhdGhGgaZAlZ+Ib5mTuTf/cvYu1xqXvkOsnkHN8LQAA5cDvwUSfTqH Ryvjk4SkJbbgg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4WdFs603HQz4w2R; Tue, 6 Aug 2024 11:22:01 +1000 (AEST) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH] util: Use unsigned (size_t) value for iov length Date: Tue, 6 Aug 2024 11:21:49 +1000 Message-ID: <20240806012149.2186221-1-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 2QD63QGX7EL2KSSWZW42MWODEVLIDGPR X-Message-ID-Hash: 2QD63QGX7EL2KSSWZW42MWODEVLIDGPR X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: The "correct" type for the length of an IOV is unclear: writev() and readv() use an int, but sendmsg() and recvmsg() use a size_t. Using the unsigned size_t has some advantages, though, and it makes more sense for the case of write_remainder. Using size_t throughout here means we don't have a signed vs. unsigned comparison, and we don't have to deal with the case of iov_skip_bytes() returning a value which becomes negative when assigned to an integer. I believe this should fix a Coverity reported integer overflow that's showing up on openscanhub. It's not totally clear from the report what it thinks the path is, but it's on an (iovcnt - i) a few lines later. With both having unsigned type, the loop condition ensures this can't underflow. Signed-off-by: David Gibson --- util.c | 5 ++--- util.h | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/util.c b/util.c index f2e26a7a..54a9f580 100644 --- a/util.c +++ b/util.c @@ -592,10 +592,9 @@ int do_clone(int (*fn)(void *), char *stack_area, size_t stack_size, int flags, * * #syscalls write writev */ -int write_remainder(int fd, const struct iovec *iov, int iovcnt, size_t skip) +int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size_t skip) { - int i; - size_t offset; + size_t offset, i; while ((i = iov_skip_bytes(iov, iovcnt, skip, &offset)) < iovcnt) { ssize_t rc; diff --git a/util.h b/util.h index b7541ce2..e8bf9572 100644 --- a/util.h +++ b/util.h @@ -182,7 +182,7 @@ void pidfile_write(int fd, pid_t pid); int __daemon(int pidfile_fd, int devnull_fd); int fls(unsigned long x); int write_file(const char *path, const char *buf); -int write_remainder(int fd, const struct iovec *iov, int iovcnt, size_t skip); +int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size_t skip); /** * af_name() - Return name of an address family -- 2.45.2