Make the nsops' variable in semop' unsigned. This prevents an

overflow if uap->nsops (which is already unsigned) is over INT_MAX; consequently, the bounds check below becomes valid. Previously, if a value over INT_MAX was passed in uap->nsops, the bounds check wouldn't catch it, and the value would be used to compute copyin()'s third argument. Obtained from: NetBSD
2001-09-10 11:36:08 +00:00 · 2001-09-10 11:36:08 +00:00 · afcc728682
commit afcc728682
parent bd6f9cb9b6
1 changed files with 5 additions and 5 deletions
--- a/sys/kern/sysv_sem.c
+++ b/sys/kern/sysv_sem.c
@ -781,7 +781,7 @@ semget(p, uap)
 struct semop_args {
 	int	semid;
 	struct	sembuf *sops;
-	int	nsops;
+	u_int	nsops;
 };
 #endif

@ -794,7 +794,7 @@ semop(p, uap)
 	register struct semop_args *uap;
 {
 	int semid = uap->semid;
-	int nsops = uap->nsops;
+	u_int nsops = uap->nsops;
 	struct sembuf sops[MAX_SOPS];
 	register struct semid_ds *semaptr;
 	register struct sembuf *sopptr;
@ -804,7 +804,7 @@ semop(p, uap)
 	int do_wakeup, do_undos;

 #ifdef SEM_DEBUG
-	printf("call to semop(%d, 0x%x, %d)\n", semid, sops, nsops);
+	printf("call to semop(%d, 0x%x, %u)\n", semid, sops, nsops);
 #endif

 	mtx_lock(&Giant);
@ -840,7 +840,7 @@ semop(p, uap)

 	if (nsops > MAX_SOPS) {
 #ifdef SEM_DEBUG
-		printf("too many sops (max=%d, nsops=%d)\n", MAX_SOPS, nsops);
+		printf("too many sops (max=%d, nsops=%u)\n", MAX_SOPS, nsops);
 #endif
 		error = E2BIG;
 		goto done2;
@ -848,7 +848,7 @@ semop(p, uap)

 	if ((error = copyin(uap->sops, &sops, nsops * sizeof(sops[0]))) != 0) {
 #ifdef SEM_DEBUG
-		printf("error = %d from copyin(%08x, %08x, %d)\n", error,
+		printf("error = %d from copyin(%08x, %08x, %u)\n", error,
 		    uap->sops, &sops, nsops * sizeof(sops[0]));
 #endif
 		goto done2;