Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 92076
Status: resolved
Priority: 0/
Queue: Net-SSLeay

People
Owner: MIKEM [...] cpan.org
Requestors: alexander.bluhm [...] gmx.net
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: 1.57
Fixed in: (no value)



Subject: strlen() type compiler warning about overflow
Download (untitled) / with headers
text/plain 2.4k
Hi, When compiling Net::SSLeay 1.56 on OpenBSD/amd64 I get warnings about possible variable overflows. cc -c -I/usr/include -DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE -fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -fstack-protector -I/usr/local/include -O2 -g -DVERSION=\"1.56\" -DXS_VERSION=\"1.56\" -DPIC -fPIC "-I/usr/libdata/perl5/amd64-openbsd/5.16.3/CORE" SSLeay.c SSLeay.xs: In function 'next_proto_select_cb_invoke': SSLeay.xs:849: warning: comparison is always true due to limited range of data type SSLeay.xs:862: warning: comparison is always false due to limited range of data type You use int or char variables to hold strlen() values, but the return type of strlen() is size_t. This type should also be used for those variables to avoid wrap arounds or signed/unsigned issues. bluhm --- SSLeay.xs.orig Tue Jan 7 08:28:35 2014 +++ SSLeay.xs Sat Jan 11 18:53:52 2014 @@ -780,8 +780,8 @@ int next_proto_helper_AV2protodata(AV * list, unsigned if (last_index<0) return 0; for(i=0; i<=last_index; i++) { char *p = SvPV_nolen(*av_fetch(list, i, 0)); - int len = strlen(p); - if (len<0 || len>255) return 0; + size_t len = strlen(p); + if (len>255) return 0; if (out) { /* if out == NULL we only calculate the length of output */ out[ptr] = (unsigned char)len; @@ -811,7 +811,7 @@ int next_proto_select_cb_invoke(SSL *ssl, unsigned cha { SV *cb_func, *cb_data; unsigned char *next_proto_data; - unsigned char next_proto_len; + size_t next_proto_len; int next_proto_status; SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); STRLEN n_a; @@ -941,7 +941,7 @@ int alpn_select_cb_invoke(SSL *ssl, const unsigned cha { SV *cb_func, *cb_data; unsigned char *alpn_data; - unsigned char alpn_len; + size_t alpn_len; SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); STRLEN n_a; @@ -1010,7 +1010,8 @@ int alpn_select_cb_invoke(SSL *ssl, const unsigned cha int pem_password_cb_invoke(char *buf, int bufsize, int rwflag, void *data) { dSP; char *str; - int count = -1, str_len = 0; + int count = -1; + size_t str_len = 0; simple_cb_data_t* cb = (simple_cb_data_t*)data; STRLEN n_a; @@ -3252,7 +3253,7 @@ PEM_get_string_PrivateKey(pk,passwd=NULL,enc_alg=NULL) BIO *bp; int i, n; char *buf; - int passwd_len = 0; + size_t passwd_len = 0; pem_password_cb * cb = NULL; void * u = NULL; CODE:
Subject: Re: [rt.cpan.org #92076] strlen() type compiler warning about overflow
Date: Mon, 13 Jan 2014 12:15:19 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Download (untitled) / with headers
text/plain 3.3k
Hi, thanks for that. Now fixed in SVN 394. If you will be good enough to test the latest SVN, I will make a new release. Cheers. On Sunday, January 12, 2014 10:47:20 AM you wrote: Show quoted text
> Sun Jan 12 10:47:18 2014: Request 92076 was acted upon. > Transaction: Ticket created by bluhm > Queue: Net-SSLeay > Subject: strlen() type compiler warning about overflow > Broken in: 1.57 > Severity: (no value) > Owner: Nobody > Requestors: alexander.bluhm@gmx.net > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=92076 > > > > Hi, > > When compiling Net::SSLeay 1.56 on OpenBSD/amd64 I get warnings > about possible variable overflows. > > cc -c -I/usr/include -DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE > -fno-strict-aliasing -fno-delete-null-pointer-checks -pipe > -fstack-protector -I/usr/local/include -O2 -g -DVERSION=\"1.56\" > -DXS_VERSION=\"1.56\" -DPIC -fPIC > "-I/usr/libdata/perl5/amd64-openbsd/5.16.3/CORE" SSLeay.c SSLeay.xs: In > function 'next_proto_select_cb_invoke': > SSLeay.xs:849: warning: comparison is always true due to limited range of > data type SSLeay.xs:862: warning: comparison is always false due to limited > range of data type > > You use int or char variables to hold strlen() values, but the > return type of strlen() is size_t. This type should also be used > for those variables to avoid wrap arounds or signed/unsigned issues. > > bluhm > > --- SSLeay.xs.orig Tue Jan 7 08:28:35 2014 > +++ SSLeay.xs Sat Jan 11 18:53:52 2014 > @@ -780,8 +780,8 @@ int next_proto_helper_AV2protodata(AV * list, unsigned > if (last_index<0) return 0; > for(i=0; i<=last_index; i++) { > char *p = SvPV_nolen(*av_fetch(list, i, 0)); > - int len = strlen(p); > - if (len<0 || len>255) return 0; > + size_t len = strlen(p); > + if (len>255) return 0; > if (out) { > /* if out == NULL we only calculate the length of output */ > out[ptr] = (unsigned char)len; > @@ -811,7 +811,7 @@ int next_proto_select_cb_invoke(SSL *ssl, unsigned cha > { > SV *cb_func, *cb_data; > unsigned char *next_proto_data; > - unsigned char next_proto_len; > + size_t next_proto_len; > int next_proto_status; > SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); > STRLEN n_a; > @@ -941,7 +941,7 @@ int alpn_select_cb_invoke(SSL *ssl, const unsigned cha > { > SV *cb_func, *cb_data; > unsigned char *alpn_data; > - unsigned char alpn_len; > + size_t alpn_len; > SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); > STRLEN n_a; > > @@ -1010,7 +1010,8 @@ int alpn_select_cb_invoke(SSL *ssl, const unsigned cha > int pem_password_cb_invoke(char *buf, int bufsize, int rwflag, void *data) > { dSP; > char *str; > - int count = -1, str_len = 0; > + int count = -1; > + size_t str_len = 0; > simple_cb_data_t* cb = (simple_cb_data_t*)data; > STRLEN n_a; > > @@ -3252,7 +3253,7 @@ PEM_get_string_PrivateKey(pk,passwd=NULL,enc_alg=NULL) > BIO *bp; > int i, n; > char *buf; > - int passwd_len = 0; > + size_t passwd_len = 0; > pem_password_cb * cb = NULL; > void * u = NULL; > CODE:
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070
Subject: Re: [rt.cpan.org #92076] strlen() type compiler warning about overflow
Date: Tue, 14 Jan 2014 00:40:56 +0100
To: Mike McCauley via RT <bug-Net-SSLeay [...] rt.cpan.org>
From: Alexander Bluhm <alexander.bluhm [...] gmx.net>
Download (untitled) / with headers
text/plain 263b
On Sun, Jan 12, 2014 at 09:15:32PM -0500, Mike McCauley via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=92076 > > Now fixed in SVN 394. > If you will be good enough to test the latest SVN, I will make a new release.
Yes, it works for me. bluhm
Subject: Re: [rt.cpan.org #92076] strlen() type compiler warning about overflow
Date: Tue, 14 Jan 2014 09:52 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Download (untitled) / with headers
text/plain 786b
Hi, Thanks for checking. I will make a new release in the next few days as soon as another issue is cleared. Cheers. On Monday, January 13, 2014 06:41:06 PM you wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=92076 > > > On Sun, Jan 12, 2014 at 09:15:32PM -0500, Mike McCauley via RT wrote:
> > <URL: https://rt.cpan.org/Ticket/Display.html?id=92076 > > > Now fixed in SVN 394. > > If you will be good enough to test the latest SVN, I will make a new > > release.
> Yes, it works for me. > > bluhm
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.