Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Jun 2013 14:31:48 +1000
From: Matthew Fernandez <>
To: <>
CC: Rich Felker <>
Subject: Re: Use of size_t and ssize_t in mseek

On 27/06/13 14:23, Rich Felker wrote:
> On Thu, Jun 27, 2013 at 02:16:15PM +1000, Matthew Fernandez wrote:
>> Perfectly reasonable to make it UB (and I had assumed it was so
>> already).
> Well the UB is just passing a wrong size. But the only way you can
> guarantee that such a huge size is "wrong" is by cutting off all ways
> of making such a large object.

In some sense this is true, but this would not have affected my
scenario. I do not know the size of the object to which I have a pointer
to and the object was not derived from Musl C functionality. As a bit of
context, this is an embedded environment where we don't have much
address space introspection. I suppose you could argue that I should
have re-implemented fmemopen in a way that didn't assume a bounded buffer.

>> It just seemed to me that it would be more user-friendly to
>> bounds check the size parameter in fmemopen. Is there a reason not to do
>> this?
> Mainly just consistency. There are a lot of places where sizes greater
> than PTRDIFF_MAX would be problematic due to overflowing differences
> and other issues, it's difficult (and ugly) to try to catch them all,
> and even if you do catch them, in some cases, there's no obvious
> "correct" course of action to take. fmemopen could check and return
> some reasonable error, but I still want to find and fix any remaining
> places where objects larger than PTRDIFF_MAX could come into existence
> since they affect other code too, and once those are fixed, the check
> in fmemopen would be obsolete.

Yes, I agree with this reasoning. It seems fmemopen should really take a
ssize_t, but this would require deviating from the standard which is

> As far as I can tell, mmap and maybe shmat are the only functions that
> might be able to make such large objects. Do you know any others?

Not that I'm aware of. I haven't explored Musl C much and would consider
myself more of a user than developer with respect to its code.


The information in this e-mail may be confidential and subject to legal professional privilege and/or copyright. National ICT Australia Limited accepts no liability for any damage caused by this email or its attachments.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.