Fix range checking in safecopy.

author Cristiano Giuffrida <cristiano@minix3.org>

Fri, 4 Jun 2010 18:05:38 +0000 (18:05 +0000)

committer Cristiano Giuffrida <cristiano@minix3.org>

Fri, 4 Jun 2010 18:05:38 +0000 (18:05 +0000)
author Cristiano Giuffrida <cristiano@minix3.org>
Fri, 4 Jun 2010 18:05:38 +0000 (18:05 +0000)
committer Cristiano Giuffrida <cristiano@minix3.org>
Fri, 4 Jun 2010 18:05:38 +0000 (18:05 +0000)
diff --git a/kernel/system/do_safecopy.c b/kernel/system/do_safecopy.c

index 4650ae307e8712b3db610b9834a023d57afc0fd3..d25329d92e0df0d8cf6b94a5b4d8364367b064d1 100644 (file)
--- a/kernel/system/do_safecopy.c
+++ b/kernel/system/do_safecopy.c
@@ -147,8 +147,8 @@ endpoint_t *e_granter;              /* new granter (magic grants) */
                 /* Don't fiddle around with grants that wrap, arithmetic
                  * below may be confused.
                  */
-               if(MEM_TOP - g.cp_u.cp_direct.cp_len <
-                       g.cp_u.cp_direct.cp_start - 1) {
+               if(MEM_TOP - g.cp_u.cp_direct.cp_len + 1 <
+                       g.cp_u.cp_direct.cp_start) {
                         printf(
                 "verify_grant: direct grant verify failed: len too long\n");
                         return EPERM;
author	Cristiano Giuffrida <cristiano@minix3.org>
	Fri, 4 Jun 2010 18:05:38 +0000 (18:05 +0000)
committer	Cristiano Giuffrida <cristiano@minix3.org>
	Fri, 4 Jun 2010 18:05:38 +0000 (18:05 +0000)