read(2) and thus bsdiff is limited to 2^31 bytes
Konstantin Belousov
kostikbel at gmail.com
Sun May 22 23:09:49 UTC 2016
On Sun, May 22, 2016 at 03:56:33PM -0700, Conrad Meyer wrote:
> On Sun, May 22, 2016 at 1:54 PM, Dirk Engling <erdgeist at erdgeist.org> wrote:
> > When trying to bsdiff two DVD images, I noticed it failing due to
> > read(2) returning EINVAL to the tool. man 2 read says, this would only
> > happen for a negative value for fildes, which clearly was not true.
>
> Actually, it's documented at the very bottom of the first section:
>
> ERRORS
> The read(), readv(), pread() and preadv() system calls will succeed
> unless:
> ...
> [EINVAL] The value nbytes is greater than INT_MAX.
>
> It does seem silly to me given nbytes is a size_t. I think it should
> error if nbytes is greater than SSIZE_T_MAX, but on platforms where
> size_t is larger than int (e.g. amd64) it shouldn't error for nbytes
> in [INT_MAX, SSIZE_T_MAX - 1].
It does not look silly to me, due to the typical
if (read() < 0)
checks in the code. Even
if (read() == -1)
is vulnerable.
>
> As far as I can tell, this INT_MAX behavior is not required by POSIX.
>From POSIX page for read():
RETURN VALUE
Upon successful completion, these functions shall return a non-negative integer indicating the
number of bytes actually read. Otherwise, the functions shall return -1 and set errno to indicate
the error.
More information about the freebsd-hackers
mailing list