summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2013-06-28 23:57:58 -0400
committerRich Felker <dalias@aerifal.cx>2013-06-28 23:57:58 -0400
commit062f40ef3e56021f4a9902095867e35cce6d99c4 (patch)
tree102a798592f8fdc5c74acdec9d8cb673b822cb93
parent553d566c3f7080cf1f339eebf715db7e5d0b0d76 (diff)
downloadmusl-062f40ef3e56021f4a9902095867e35cce6d99c4.tar.gz
work around wrong kernel type for sem_nsems member of struct semid_ds
rejecting invalid values for n is fine even in the case where a new sem will not be created, since the kernel does its range checks on n even in this case as well. by default, the kernel will bound the limit well below USHRT_MAX anyway, but it's presumably possible that an administrator could override this limit and break things.
-rw-r--r--include/sys/sem.h10
-rw-r--r--src/ipc/semget.c7
2 files changed, 16 insertions, 1 deletions
diff --git a/include/sys/sem.h b/include/sys/sem.h
index cc3a3e63..e74ea208 100644
--- a/include/sys/sem.h
+++ b/include/sys/sem.h
@@ -25,13 +25,21 @@ extern "C" {
#define SETVAL 16
#define SETALL 17
+#include <endian.h>
+
struct semid_ds {
struct ipc_perm sem_perm;
long sem_otime;
unsigned long __unused1;
long sem_ctime;
unsigned long __unused2;
- unsigned long sem_nsems;
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ unsigned short sem_nsems;
+ char __sem_nsems_pad[sizeof(long)-sizeof(short)];
+#else
+ char __sem_nsems_pad[sizeof(long)-sizeof(short)];
+ unsigned short sem_nsems;
+#endif
unsigned long __unused3;
unsigned long __unused4;
};
diff --git a/src/ipc/semget.c b/src/ipc/semget.c
index 5f110e3b..c4a559db 100644
--- a/src/ipc/semget.c
+++ b/src/ipc/semget.c
@@ -1,9 +1,16 @@
#include <sys/sem.h>
+#include <limits.h>
+#include <errno.h>
#include "syscall.h"
#include "ipc.h"
int semget(key_t key, int n, int fl)
{
+ /* The kernel uses the wrong type for the sem_nsems member
+ * of struct semid_ds, and thus might not check that the
+ * n fits in the correct (per POSIX) userspace type, so
+ * we have to check here. */
+ if (n > USHRT_MAX) return __syscall_ret(-EINVAL);
#ifdef SYS_semget
return syscall(SYS_semget, key, n, fl);
#else