Message ID | 20231023135647.2157030-3-kevin.brodsky@arm.com |
---|---|
State | Accepted |
Headers | show |
Series | Various fixes for out-of-bound uaccess | expand |
diff --git a/testcases/kernel/syscalls/ipc/msgctl/msgctl06.c b/testcases/kernel/syscalls/ipc/msgctl/msgctl06.c index 6f54763833ed..c1264b71e0e4 100644 --- a/testcases/kernel/syscalls/ipc/msgctl/msgctl06.c +++ b/testcases/kernel/syscalls/ipc/msgctl/msgctl06.c @@ -139,12 +139,16 @@ static void verify_msgctl(unsigned int n) static void setup(void) { struct msqid_ds temp_buf; + struct buf { + long type; + char text[5]; + } msgbuf = {MSGTYPE, "abcd"}; ltpuser = SAFE_GETPWNAM("nobody"); nobody_uid = ltpuser->pw_uid; root_uid = 0; msg_id = SAFE_MSGGET(IPC_PRIVATE, IPC_CREAT | MSG_RW); - SAFE_MSGSND(msg_id, "abcd", 4, 0); + SAFE_MSGSND(msg_id, &msgbuf, sizeof(msgbuf.text), 0); TEST(msgctl(msg_id, MSG_STAT_ANY, &temp_buf)); if (TST_RET == -1) {
msgsnd() expects a pointer to a struct as second argument. If a pointer to a short buffer is provided instead, both the type and message read by the kernel will be garbage. This went unnoticed as the sent message is never read back in this test. Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com> --- testcases/kernel/syscalls/ipc/msgctl/msgctl06.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)