[ Please pull from git://git.xenomai.org/xenomai-jki.git for-2.4.x ] The test for __xn_access_ok was inverted, thus rejected valid requests. Fix this and refactor the code in order to check for the actual size of the passed fd sets.
Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
---
ksrc/skins/posix/syscall.c | 21 +++++++++------------
1 files changed, 9 insertions(+), 12 deletions(-)
diff --git a/ksrc/skins/posix/syscall.c b/ksrc/skins/posix/syscall.c
index 5c62a45..f0111f8 100644
--- a/ksrc/skins/posix/syscall.c
+++ b/ksrc/skins/posix/syscall.c
@@ -2384,17 +2384,16 @@ static int __select(struct task_struct *curr, struct
pt_regs *regs)
struct timeval tv;
pthread_t thread;
int i, err, nfds;
+ size_t fds_size;
thread = pse51_current_thread();
if (!thread)
return -EPERM;
if (__xn_reg_arg5(regs)) {
- if (__xn_access_ok(curr, VERIFY_WRITE,
- __xn_reg_arg5(regs), sizeof(tv)))
- return -EFAULT;
-
- if (__xn_copy_from_user(curr, &tv,
+ if (!__xn_access_ok(curr, VERIFY_WRITE,
+ __xn_reg_arg5(regs), sizeof(tv)) ||
+ __xn_copy_from_user(curr, &tv,
(void __user *)__xn_reg_arg5(regs),
sizeof(tv)))
return -EFAULT;
@@ -2407,19 +2406,17 @@ static int __select(struct task_struct *curr, struct
pt_regs *regs)
}
nfds = __xn_reg_arg1(regs);
+ fds_size = __FDELT(nfds + __NFDBITS - 1) * sizeof(long);
for (i = 0; i < XNSELECT_MAX_TYPES; i++)
if (ufd_sets[i]) {
in_fds[i] = &in_fds_storage[i];
out_fds[i] = & out_fds_storage[i];
- if (__xn_access_ok(curr, VERIFY_WRITE,
- ufd_sets[i], sizeof(fd_set)))
- return -EFAULT;
-
- if (__xn_copy_from_user(curr, in_fds[i],
+ if (!__xn_access_ok(curr, VERIFY_WRITE,
+ ufd_sets[i], fds_size) ||
+ __xn_copy_from_user(curr, in_fds[i],
(void __user *) ufd_sets[i],
- __FDELT(nfds + __NFDBITS - 1)
- * sizeof(long)))
+ fds_size))
return -EFAULT;
}
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Xenomai-core mailing list Xenomai-core@gna.org https://mail.gna.org/listinfo/xenomai-core
