Change in libosmocore[master]: bitvec_read_field(): fix incorrect bit-shift issue found by UBSan

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Wed Nov 17 14:58:24 UTC 2021 

fixeria has posted comments on this change. ( https://gerrit.osmocom.org/c/libosmocore/+/26308 )

Change subject: bitvec_read_field(): fix incorrect bit-shift issue found by UBSan
......................................................................


Patch Set 1:

(2 comments)

https://gerrit.osmocom.org/c/libosmocore/+/26308/1/src/bitvec.c 
File src/bitvec.c:

https://gerrit.osmocom.org/c/libosmocore/+/26308/1/src/bitvec.c@485 
PS1, Line 485: 	if (len && bytenum_from_bitnum(*read_index + len - 1) >= bv->data_len) {
> why this -1?
Because we check presence of the *last* bit here. If let's say len=32, then the last bit you're interested in the 31th bit because we count from 0. Without that -1 parsing e.g. 32 our of 32 bits in the vector won't work.

  // read_index=0, len=32, bv->data_len=4
  if (bytenum_from_bitnum(0 + 32 - 1) >= 4) {  ... }
  if (bytenum_from_bitnum(31) >= 4) {  ... }
  if (31 / 8 >= 4) {  ... }
  if (3 >= 4) {  ... } // false

This is also why below we do:

  ((uint64_t)1 << (len - i - 1))


https://gerrit.osmocom.org/c/libosmocore/+/26308/1/src/bitvec.c@494 
PS1, Line 494: 		int bit = bitvec_get_bit_pos((const struct bitvec *)bv, bv->cur_bit);
> I'd rather still keep the error checking here.
Why not, if we can check once and then avoid additional 'if' statements in a loop?

Moreover, the idea is to catch the error before entering the loop and doing:

  ((uint64_t)1 << (len - i - 1))

Otherwise it takes several iterations to realize that we're reading out of bounds.



-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/26308
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I4deeabba7ebb720cdbe7c85b37bc011d05bdfa65
Gerrit-Change-Number: 26308
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-CC: pespin <pespin at sysmocom.de>
Gerrit-Comment-Date: Wed, 17 Nov 2021 14:58:24 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: pespin <pespin at sysmocom.de>
Gerrit-MessageType: comment
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20211117/4c953c8d/attachment.htm>

More information about the gerrit-log mailing list