On Thu, May 07, 2026 at 02:24:39PM +0200, Theo Buehler wrote:
> On Thu, May 07, 2026 at 01:30:16PM +0200, Claudio Jeker wrote:
> > This fixes a warning on 32bit archs where ptrdiff_t is a 32bit signed value
> > and adjoutlen is uint32_t.
> > 
> > /usr/src/usr.sbin/bgpd/rde_adjout.c: In function 'adjout_prefix_index':
> > /usr/src/usr.sbin/bgpd/rde_adjout.c:423: warning: comparison between signed and unsigned
> > 
> > On 64bit archs this does not happen since there ptrdiff_t is 64bit signed
> > and so the uint32_t is promoted to a signed 64bit value. Which is a OK.
> > 
> > Doing the size_t cast should be ok since negative idx was just ruled out
> > before.
> 
> The cast itself is safe.
> 
> ok tb
> 
> [Since C is such a wonderful language, I'm not sure what the check
> really does since pte->adjout always points at the start and adjoutlen
> is always the full length, so either condition implies UB has happened
> since pointer differences are only defined for elements of the same
> array object (or one past the last element).]

I let the compiler decide. This is indeed a safety net that would not be
needed if passing bad values to such a pointer math would be cought by the
compiler.
 
> > -- 
> > :wq Claudio
> > 
> > Index: rde_adjout.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/bgpd/rde_adjout.c,v
> > diff -u -p -r1.16 rde_adjout.c
> > --- rde_adjout.c	17 Mar 2026 09:29:29 -0000	1.16
> > +++ rde_adjout.c	7 May 2026 11:17:45 -0000
> > @@ -420,7 +420,7 @@ adjout_prefix_index(struct pt_entry *pte
> >  {
> >  	ptrdiff_t idx = p - pte->adjout;
> >  
> > -	if (idx < 0 || idx > pte->adjoutlen)
> > +	if (idx < 0 || (size_t)idx > pte->adjoutlen)
> >  		fatalx("corrupt pte adjout list");
> >  
> >  	return idx;
> > 
> 

-- 
:wq Claudio