Eric S. Raymond esr at thyrsus.com
Sun Nov 22 13:55:41 UTC 2015

Hal Murray <hmurray at megapathdsl.net>:
> esr at thyrsus.com said:
> > Sadly, I don't know of any good tutorials on this.  It is a swamp full of
> > razor blades for even very experienced C programmers.  If you have a
> > particular exporession you want me to analyze I might be able to say
> > something useful. 
> The old code was:
>         int chars;
>         char req_buf[CTL_MAX_DATA_LEN];
>                 req = req_buf;
>                 req_end = req_buf + sizeof(req_buf);
> #define REQ_ROOM        (req_end - req)
>                         chars = strlen(buf);
>                         if (REQ_ROOM - chars < 1)
>                                 break;
> The new code is:
>         size_t chars;
>                         if (REQ_ROOM <= chars)
>                                 break;
> The old if didn't work after chars changed to size_t.

Right.  That's a good change.  Any time you eliminate a subtraction you
eliminate a potential overflow point. I'm still not happy with this
code, because REQ_ROOM looks like a constant but conceals another

What happened here, I think, is that because of the signed to unsigned
conversion results of the subtraction that would have gone to less than zero
turned into a large unsigned value due to modular wraparound.

Hm.  Maybe I need to *write* a tutorial on this.  The trouble is that while I
probably know enough to do it, my knowledge is tacit and reactive rather
than explicit.

In the mean time, I'm going to follow Mark's advice and experiment with -Wextra.
Maybe that will flush out similar instances.
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

More information about the devel mailing list