Added 2 checks to mapping function - one for overflow (virtual address +

size wraparound), one to see if the size fits in the designated segment. It seems this check wasn't done. This came to light when trying to pre-check the users buffer for read() and write() in using the vectored virtual copy system call in servers/fs/read.c.
2005-05-24 12:30:29 +00:00 · 2005-05-24 12:30:29 +00:00 · 6a3519f3a8
parent 6ea72ca1ee
commit 6a3519f3a8
1 changed files with 6 additions and 1 deletions
--- a/kernel/system.c
+++ b/kernel/system.c
@ -315,6 +315,7 @@ vir_bytes bytes;		/* # of bytes to be copied */
  return 0;
 }

+
 /*===========================================================================*
 *				umap_local				     *
 *===========================================================================*/
@ -341,6 +342,7 @@ vir_bytes bytes;		/* # of bytes to be copied */
   */

  if (bytes <= 0) return( (phys_bytes) 0);
+  if (vir_addr + bytes <= vir_addr) return 0;	/* overflow */
  vc = (vir_addr + bytes - 1) >> CLICK_SHIFT;	/* last click of data */

 #if (CHIP == INTEL) || (CHIP == M68000)
@ -353,6 +355,10 @@ vir_bytes bytes;		/* # of bytes to be copied */

  if((vir_addr>>CLICK_SHIFT) >= rp->p_memmap[seg].mem_vir + 
  	rp->p_memmap[seg].mem_len) return( (phys_bytes) 0 );
+
+  if(vc >= rp->p_memmap[seg].mem_vir + 
+  	rp->p_memmap[seg].mem_len) return( (phys_bytes) 0 );
+
 #if (CHIP == INTEL)
  seg_base = (phys_bytes) rp->p_memmap[seg].mem_phys;
  seg_base = seg_base << CLICK_SHIFT;	/* segment origin in bytes */
@ -369,7 +375,6 @@ vir_bytes bytes;		/* # of bytes to be copied */
 #endif
 }

-
 /*==========================================================================*
 *				numap_local				    *
 *==========================================================================*/