From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54903) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XHdrl-00054G-4P for qemu-devel@nongnu.org; Wed, 13 Aug 2014 15:05:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XHdrf-000484-Er for qemu-devel@nongnu.org; Wed, 13 Aug 2014 15:05:44 -0400 From: Tom Musta Date: Wed, 13 Aug 2014 14:04:41 -0500 Message-Id: <1407956688-16006-7-git-send-email-tommusta@gmail.com> In-Reply-To: <1407956688-16006-1-git-send-email-tommusta@gmail.com> References: <1407956688-16006-1-git-send-email-tommusta@gmail.com> Subject: [Qemu-devel] [V3 PATCH 06/13] linux-user: Detect Negative Message Sizes in msgsnd System Call List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, qemu-ppc@nongnu.org Cc: Tom Musta , riku.voipio@linaro.org, agraf@suse.de The msgsnd system call takes an argument that describes the message size (msgsz) and is of type size_t. The system call should set errno to EINVAL in the event that a negative message size is passed. Signed-off-by: Tom Musta Reviewed-by: Peter Maydell --- linux-user/syscall.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 04f4820..79fb3cb 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -2874,12 +2874,16 @@ struct target_msgbuf { }; static inline abi_long do_msgsnd(int msqid, abi_long msgp, - unsigned int msgsz, int msgflg) + ssize_t msgsz, int msgflg) { struct target_msgbuf *target_mb; struct msgbuf *host_mb; abi_long ret = 0; + if (msgsz < 0) { + return -TARGET_EINVAL; + } + if (!lock_user_struct(VERIFY_READ, target_mb, msgp, 0)) return -TARGET_EFAULT; host_mb = malloc(msgsz+sizeof(long)); -- 1.7.1