1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-20 14:03:59 +03:00
Douglas Bagnall 5ab93f48c5 util:tsort.h: add a macro for safely comparing numbers
In many places we use `return a - b;` in a comparison function. This can
be problematic if the comparison is used in a sort, as `a - b` is not
guaranteed to do what we expect. For example:

* if a and b are 2s-complement ints, a is INT_MIN and b is INT_MAX, then
  a - b = 1, which is wrong.

* if a and b are 64 bit pointers, a - b could wrap around many times in
  a cmp function returning 32 bit ints. (We do this often).

The issue is not just that a sort could go haywire.
Due to a bug in glibc, this could result in out-of-bounds access:

https://www.openwall.com/lists/oss-security/2024/01/30/7

(We have replicated this bug in ldb_qsort).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-10 22:56:33 +00:00

60 lines
1.5 KiB
C

/*
Unix SMB/CIFS implementation.
typesafe qsort
Copyright (C) Andrew Tridgell 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _TSORT_H
#define _TSORT_H
#include <assert.h>
/*
a wrapper around qsort() that ensures the comparison function is
type safe.
*/
#ifndef TYPESAFE_QSORT
#define TYPESAFE_QSORT(base, numel, comparison) \
do { \
if (numel > 1) { \
qsort(base, numel, sizeof((base)[0]), (int (*)(const void *, const void *))comparison); \
assert(comparison(&((base)[0]), &((base)[1])) <= 0); \
} \
} while (0)
#endif
#ifndef NUMERIC_CMP
/*
* NUMERIC_CMP is a safe replacement for `a - b` in comparison
* functions. It will work on integers, pointers, and floats.
*
* Rather than
*
* return a - b;
*
* use
*
* return NUMERIC_CMP(a, b);
*
* and you won't have any troubles if a - b would overflow.
*/
#define NUMERIC_CMP(a, b) (((a) > (b)) - ((a) < (b)))
#endif
#endif