Re: Minor net/core/sock.c security issue?

Albert D. Cahalan (acahalan@cs.uml.edu)
Tue, 24 Jul 2001 00:55:15 -0400 (EDT)


David S. Miller writes:
> Albert D. Cahalan writes:

>> Long term, __builtin_min() and __builtin_max() would be nice.
>
> I would even avoid this, what is the signedness of their
> arguments and return values? The answer is: I don't care,
> because I have to look it up.
>
> And if I have to look it up, I know that most people _won't_ look it
> up and will just guess or assume. Most people are therefore likely to
> misuse it.

The obvious answer is to enforce that the signedness of their
arguments and return values all match. Anything else won't compile.
This is safer than plain open code, because it forces the programmer
to fix any signedness mismatch.

The whole point of being built-in is that stuff like this can be
handled.

Possibly bad ideas:

The full range of signed/unsigned could be made to work, as if you
were using 33-bit or 65-bit signed math. It might even be sane to take
the return type from whatever is getting fed the return value. It
would be cool to use the exception tables if something goes out of
range, though maybe that would be too slow.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/