From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57019) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XHHDm-00047V-MM for qemu-devel@nongnu.org; Tue, 12 Aug 2014 14:55:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XHHDh-0007Dj-92 for qemu-devel@nongnu.org; Tue, 12 Aug 2014 14:54:58 -0400 From: Tom Musta Date: Tue, 12 Aug 2014 13:53:37 -0500 Message-Id: <1407869623-11185-7-git-send-email-tommusta@gmail.com> In-Reply-To: <1407869623-11185-1-git-send-email-tommusta@gmail.com> References: <1407869623-11185-1-git-send-email-tommusta@gmail.com> Subject: [Qemu-devel] [V2 PATCH 06/12] linux-user: Detect Negative Message Sizes in msgsnd System Call List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, qemu-ppc@nongnu.org Cc: peter.maydell@linaro.org, riku.voipio@linaro.org, agraf@suse.de, Tom Musta The msgsnd system call takes an argument that describes the message size (msgsz) and is of type size_t. The system call should set errno to EINVAL in the event that a negative message size is passed. Signed-off-by: Tom Musta Reviewed-by: Peter Maydell --- linux-user/syscall.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 04f4820..79fb3cb 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -2874,12 +2874,16 @@ struct target_msgbuf { }; static inline abi_long do_msgsnd(int msqid, abi_long msgp, - unsigned int msgsz, int msgflg) + ssize_t msgsz, int msgflg) { struct target_msgbuf *target_mb; struct msgbuf *host_mb; abi_long ret = 0; + if (msgsz < 0) { + return -TARGET_EINVAL; + } + if (!lock_user_struct(VERIFY_READ, target_mb, msgp, 0)) return -TARGET_EFAULT; host_mb = malloc(msgsz+sizeof(long)); -- 1.7.1