Make the nsops' variable in semop' unsigned. This prevents an

overflow if uap->nsops (which is already unsigned) is over INT_MAX;
consequently, the bounds check below becomes valid.  Previously, if a
value over INT_MAX was passed in uap->nsops, the bounds check wouldn't
catch it, and the value would be used to compute copyin()'s third
argument.

Obtained from:	NetBSD
This commit is contained in:
Dima Dorfman 2001-09-10 11:36:08 +00:00
parent bf61e26696
commit b40832162b

View File

@ -781,7 +781,7 @@ semget(p, uap)
struct semop_args {
int semid;
struct sembuf *sops;
int nsops;
u_int nsops;
};
#endif
@ -794,7 +794,7 @@ semop(p, uap)
register struct semop_args *uap;
{
int semid = uap->semid;
int nsops = uap->nsops;
u_int nsops = uap->nsops;
struct sembuf sops[MAX_SOPS];
register struct semid_ds *semaptr;
register struct sembuf *sopptr;
@ -804,7 +804,7 @@ semop(p, uap)
int do_wakeup, do_undos;
#ifdef SEM_DEBUG
printf("call to semop(%d, 0x%x, %d)\n", semid, sops, nsops);
printf("call to semop(%d, 0x%x, %u)\n", semid, sops, nsops);
#endif
mtx_lock(&Giant);
@ -840,7 +840,7 @@ semop(p, uap)
if (nsops > MAX_SOPS) {
#ifdef SEM_DEBUG
printf("too many sops (max=%d, nsops=%d)\n", MAX_SOPS, nsops);
printf("too many sops (max=%d, nsops=%u)\n", MAX_SOPS, nsops);
#endif
error = E2BIG;
goto done2;
@ -848,7 +848,7 @@ semop(p, uap)
if ((error = copyin(uap->sops, &sops, nsops * sizeof(sops[0]))) != 0) {
#ifdef SEM_DEBUG
printf("error = %d from copyin(%08x, %08x, %d)\n", error,
printf("error = %d from copyin(%08x, %08x, %u)\n", error,
uap->sops, &sops, nsops * sizeof(sops[0]));
#endif
goto done2;