From patchwork Mon Aug 4 16:45:33 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Musta X-Patchwork-Id: 376391 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id DBD2D140086 for ; Tue, 5 Aug 2014 02:51:17 +1000 (EST) Received: from localhost ([::1]:53621 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XELTg-0005hD-5G for incoming@patchwork.ozlabs.org; Mon, 04 Aug 2014 12:51:16 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35290) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XELPh-0006tW-W2 for qemu-devel@nongnu.org; Mon, 04 Aug 2014 12:47:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XELPY-00086h-RR for qemu-devel@nongnu.org; Mon, 04 Aug 2014 12:47:09 -0400 Received: from mail-qa0-x230.google.com ([2607:f8b0:400d:c00::230]:63137) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XELPY-00086c-Nu; Mon, 04 Aug 2014 12:47:00 -0400 Received: by mail-qa0-f48.google.com with SMTP id m5so6997294qaj.7 for ; Mon, 04 Aug 2014 09:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=x0Gp0MPStz0Z5aBnSVeQMYHzbXe51At5LEWUE7V8Td8=; b=dVsUVY+IpR6vb9Qn/ldgqMmv/lB23Zej7hVzOJg0FTTAoEyLLc7XZn0NIL2XjJ6a0f +/w5jAuRY9nPASuS7k7agjwhmkgU4HP/hCLONPnINGj8qdJ8h5L4pPgfAacFHg5qQtIP 7y6GzBGd96xSlrbz3zfhdDEp0U7opxgwXPtpXyok37Buqc7bO7joO73oHXFSf21JlBuS KYBsOafFCSMIxp+Qs92DkI9ehduw+ojwkufbm0jte9IglxsZ6plzhSyVXkMKpAqeTJuF FBdS/+cSm9mU8LQRmICrND8Qh+FUQnLYEiP1Rbotng2P7S7v69XCXTJapkcdzHAuLLHl onJA== X-Received: by 10.224.43.196 with SMTP id x4mr39244237qae.63.1407170820164; Mon, 04 Aug 2014 09:47:00 -0700 (PDT) Received: from tmusta-sc.rchland.ibm.com (rchp4.rochester.ibm.com. [129.42.161.36]) by mx.google.com with ESMTPSA id n20sm32153844qar.38.2014.08.04.09.46.57 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 04 Aug 2014 09:46:59 -0700 (PDT) From: Tom Musta To: qemu-devel@nongnu.org, qemu-ppc@nongnu.org Date: Mon, 4 Aug 2014 11:45:33 -0500 Message-Id: <1407170739-12237-7-git-send-email-tommusta@gmail.com> X-Mailer: git-send-email 1.7.9.5 In-Reply-To: <1407170739-12237-1-git-send-email-tommusta@gmail.com> References: <1407170739-12237-1-git-send-email-tommusta@gmail.com> X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2607:f8b0:400d:c00::230 Cc: Tom Musta , riku.voipio@linaro.org, agraf@suse.de Subject: [Qemu-devel] [PATCH 06/12] linux-user: Detect Negative Message Sizes in msgsnd System Call X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The msgsnd system call takes an argument that describes the message size (msgsz) and is of type size_t. The system call should set errno to EINVAL in the event that a negative message size is passed. Signed-off-by: Tom Musta Reviewed-by: Peter Maydell diff --git a/linux-user/syscall.c b/linux-user/syscall.c index c0c0434..f524a39 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -2870,12 +2870,16 @@ struct target_msgbuf { }; static inline abi_long do_msgsnd(int msqid, abi_long msgp, - unsigned int msgsz, int msgflg) + ssize_t msgsz, int msgflg) { struct target_msgbuf *target_mb; struct msgbuf *host_mb; abi_long ret = 0; + if (msgsz < 0) { + return -TARGET_EINVAL; + } + if (!lock_user_struct(VERIFY_READ, target_mb, msgp, 0)) return -TARGET_EFAULT; host_mb = malloc(msgsz+sizeof(long));