From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1G0yKT-0006R6-SM
	for qemu-devel@nongnu.org; Thu, 13 Jul 2006 06:21:57 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1G0yKS-0006Qu-2L
	for qemu-devel@nongnu.org; Thu, 13 Jul 2006 06:21:57 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1G0yKS-0006Qr-06
	for qemu-devel@nongnu.org; Thu, 13 Jul 2006 06:21:56 -0400
Received: from [217.30.189.230] (helo=mail.nomovok.com)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.52) id 1G0yMB-0006mT-VM
	for qemu-devel@nongnu.org; Thu, 13 Jul 2006 06:23:44 -0400
Received: from [85.77.96.209] (GYZMMCMVIII.dsl.saunalahti.fi [85.77.96.209])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.nomovok.com (Postfix) with ESMTP id 819FFD94208
	for <qemu-devel@nongnu.org>; Thu, 13 Jul 2006 13:21:42 +0300 (EEST)
Message-ID: <44B61EBE.1090907@nomovok.com>
Date: Thu, 13 Jul 2006 13:21:50 +0300
From: Pablo Virolainen <Pablo.Virolainen@nomovok.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------060808070505080307060101"
Subject: [Qemu-devel] Fix for accept
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

This is a multi-part message in MIME format.
--------------060808070505080307060101
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit


Following code crashes qemu user emulation.

#include <sys/types.h>
#include <sys/socket.h>

int main() {
        accept(0,NULL,NULL);
        return 0;
}

Pablo Virolainen

--------------060808070505080307060101
Content-Type: text/x-patch;
 name="accept.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="accept.patch"

Index: linux-user/syscall.c
===================================================================
RCS file: /sources/qemu/qemu/linux-user/syscall.c,v
retrieving revision 1.75
diff -u -r1.75 syscall.c
--- linux-user/syscall.c	27 Jun 2006 21:08:10 -0000	1.75
+++ linux-user/syscall.c	13 Jul 2006 10:18:57 -0000
@@ -878,9 +878,20 @@
             int sockfd = tgetl(vptr);
             target_ulong target_addr = tgetl(vptr + n);
             target_ulong target_addrlen = tgetl(vptr + 2 * n);
-            socklen_t addrlen = tget32(target_addrlen);
-            void *addr = alloca(addrlen);
-
+            socklen_t addrlen=0;
+	    /* Just to get rid of compiler warnings */
+	    ulong addrt=0;
+            void *addr;
+	    
+	    get_user(addrlen,&target_addrlen);
+	    get_user(addrt,&target_addr);
+	    
+	    if (addrt!=0) {
+	        addr = alloca(addrlen);
+	    } else {
+	        addr = NULL;
+	    }
+	    
             ret = get_errno(accept(sockfd, addr, &addrlen));
             if (!is_error(ret)) {
                 host_to_target_sockaddr(target_addr, addr, addrlen);

--------------060808070505080307060101--