From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35290) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XELPh-0006tW-W2 for qemu-devel@nongnu.org; Mon, 04 Aug 2014 12:47:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XELPY-00086h-RR for qemu-devel@nongnu.org; Mon, 04 Aug 2014 12:47:09 -0400 From: Tom Musta Date: Mon, 4 Aug 2014 11:45:33 -0500 Message-Id: <1407170739-12237-7-git-send-email-tommusta@gmail.com> In-Reply-To: <1407170739-12237-1-git-send-email-tommusta@gmail.com> References: <1407170739-12237-1-git-send-email-tommusta@gmail.com> Subject: [Qemu-devel] [PATCH 06/12] linux-user: Detect Negative Message Sizes in msgsnd System Call List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, qemu-ppc@nongnu.org Cc: Tom Musta , riku.voipio@linaro.org, agraf@suse.de The msgsnd system call takes an argument that describes the message size (msgsz) and is of type size_t. The system call should set errno to EINVAL in the event that a negative message size is passed. Signed-off-by: Tom Musta diff --git a/linux-user/syscall.c b/linux-user/syscall.c index c0c0434..f524a39 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -2870,12 +2870,16 @@ struct target_msgbuf { }; static inline abi_long do_msgsnd(int msqid, abi_long msgp, - unsigned int msgsz, int msgflg) + ssize_t msgsz, int msgflg) { struct target_msgbuf *target_mb; struct msgbuf *host_mb; abi_long ret = 0; + if (msgsz < 0) { + return -TARGET_EINVAL; + } + if (!lock_user_struct(VERIFY_READ, target_mb, msgp, 0)) return -TARGET_EFAULT; host_mb = malloc(msgsz+sizeof(long)); -- 1.7.1