Added 2 checks to mapping function - one for overflow (virtual address +

size wraparound), one to see if the size fits in the designated segment.

It seems this check wasn't done. This came to light when trying to pre-check
the users buffer for read() and write() in using the vectored virtual
copy system call in servers/fs/read.c.

diff --git a/kernel/system.c b/kernel/system.c
index e9174c0e1546e37d12109f0b909e05ad29e02bf0..4b0856c6edce4c7104bb832045034a8ebb5d9b8c 100755 (executable)
--- a/kernel/system.c
+++ b/kernel/system.c
@@ -315,6 +315,7 @@ vir_bytes bytes;            /* # of bytes to be copied */
   return 0;
 }
 
+
 /*===========================================================================*
  *                             umap_local                                   *
  *===========================================================================*/
@@ -341,6 +342,7 @@ vir_bytes bytes;            /* # of bytes to be copied */
    */
 
   if (bytes <= 0) return( (phys_bytes) 0);
+  if (vir_addr + bytes <= vir_addr) return 0;  /* overflow */
   vc = (vir_addr + bytes - 1) >> CLICK_SHIFT;  /* last click of data */
 
 #if (CHIP == INTEL) || (CHIP == M68000)
@@ -353,6 +355,10 @@ vir_bytes bytes;           /* # of bytes to be copied */
 
   if((vir_addr>>CLICK_SHIFT) >= rp->p_memmap[seg].mem_vir + 
        rp->p_memmap[seg].mem_len) return( (phys_bytes) 0 );
+
+  if(vc >= rp->p_memmap[seg].mem_vir + 
+       rp->p_memmap[seg].mem_len) return( (phys_bytes) 0 );
+
 #if (CHIP == INTEL)
   seg_base = (phys_bytes) rp->p_memmap[seg].mem_phys;
   seg_base = seg_base << CLICK_SHIFT;  /* segment origin in bytes */
@@ -369,7 +375,6 @@ vir_bytes bytes;            /* # of bytes to be copied */
 #endif
 }
 
-
 /*==========================================================================*
  *                             numap_local                                 *
  *==========================================================================*/