On 4 August 2014 17:45, Tom Musta <tommu...@gmail.com> wrote:
> The msgsnd system call takes an argument that describes the message
> size (msgsz) and is of type size_t. The system call should set
> errno to EINVAL in the event that a negative message size is passed.
>
> Signed-off-by: Tom Musta <tommu...@gmail.com>
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index c0c0434..f524a39 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -2870,12 +2870,16 @@ struct target_msgbuf {
> };
>
> static inline abi_long do_msgsnd(int msqid, abi_long msgp,
> - unsigned int msgsz, int msgflg)
> + ssize_t msgsz, int msgflg)
> {
> struct target_msgbuf *target_mb;
> struct msgbuf *host_mb;
> abi_long ret = 0;
>
> + if (msgsz < 0) {
> + return -TARGET_EINVAL;
> + }
> +
> if (!lock_user_struct(VERIFY_READ, target_mb, msgp, 0))
> return -TARGET_EFAULT;
> host_mb = malloc(msgsz+sizeof(long));
> --
This won't catch the case where the guest's abi_long is
64 bit but the host's ssize_t is only 32 bits and the guest
passed us a negative value with bit 31 zero, but we
probably don't really care about that.
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
thanks
-- PMM
