From 6a3519f3a8af26891464272422acb65aeba1b109 Mon Sep 17 00:00:00 2001 From: Ben Gras Date: Tue, 24 May 2005 12:30:29 +0000 Subject: [PATCH] Added 2 checks to mapping function - one for overflow (virtual address + size wraparound), one to see if the size fits in the designated segment. It seems this check wasn't done. This came to light when trying to pre-check the users buffer for read() and write() in using the vectored virtual copy system call in servers/fs/read.c. --- kernel/system.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kernel/system.c b/kernel/system.c index e9174c0e1..4b0856c6e 100755 --- a/kernel/system.c +++ b/kernel/system.c @@ -315,6 +315,7 @@ vir_bytes bytes; /* # of bytes to be copied */ return 0; } + /*===========================================================================* * umap_local * *===========================================================================*/ @@ -341,6 +342,7 @@ vir_bytes bytes; /* # of bytes to be copied */ */ if (bytes <= 0) return( (phys_bytes) 0); + if (vir_addr + bytes <= vir_addr) return 0; /* overflow */ vc = (vir_addr + bytes - 1) >> CLICK_SHIFT; /* last click of data */ #if (CHIP == INTEL) || (CHIP == M68000) @@ -353,6 +355,10 @@ vir_bytes bytes; /* # of bytes to be copied */ if((vir_addr>>CLICK_SHIFT) >= rp->p_memmap[seg].mem_vir + rp->p_memmap[seg].mem_len) return( (phys_bytes) 0 ); + + if(vc >= rp->p_memmap[seg].mem_vir + + rp->p_memmap[seg].mem_len) return( (phys_bytes) 0 ); + #if (CHIP == INTEL) seg_base = (phys_bytes) rp->p_memmap[seg].mem_phys; seg_base = seg_base << CLICK_SHIFT; /* segment origin in bytes */ @@ -369,7 +375,6 @@ vir_bytes bytes; /* # of bytes to be copied */ #endif } - /*==========================================================================* * numap_local * *==========================================================================*/ -- 2.44.0