Added 2 checks to mapping function - one for overflow (virtual address +
size wraparound), one to see if the size fits in the designated segment. It seems this check wasn't done. This came to light when trying to pre-check the users buffer for read() and write() in using the vectored virtual copy system call in servers/fs/read.c.
This commit is contained in:
parent
6ea72ca1ee
commit
6a3519f3a8
|
@ -315,6 +315,7 @@ vir_bytes bytes; /* # of bytes to be copied */
|
|||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*===========================================================================*
|
||||
* umap_local *
|
||||
*===========================================================================*/
|
||||
|
@ -341,6 +342,7 @@ vir_bytes bytes; /* # of bytes to be copied */
|
|||
*/
|
||||
|
||||
if (bytes <= 0) return( (phys_bytes) 0);
|
||||
if (vir_addr + bytes <= vir_addr) return 0; /* overflow */
|
||||
vc = (vir_addr + bytes - 1) >> CLICK_SHIFT; /* last click of data */
|
||||
|
||||
#if (CHIP == INTEL) || (CHIP == M68000)
|
||||
|
@ -353,6 +355,10 @@ vir_bytes bytes; /* # of bytes to be copied */
|
|||
|
||||
if((vir_addr>>CLICK_SHIFT) >= rp->p_memmap[seg].mem_vir +
|
||||
rp->p_memmap[seg].mem_len) return( (phys_bytes) 0 );
|
||||
|
||||
if(vc >= rp->p_memmap[seg].mem_vir +
|
||||
rp->p_memmap[seg].mem_len) return( (phys_bytes) 0 );
|
||||
|
||||
#if (CHIP == INTEL)
|
||||
seg_base = (phys_bytes) rp->p_memmap[seg].mem_phys;
|
||||
seg_base = seg_base << CLICK_SHIFT; /* segment origin in bytes */
|
||||
|
@ -369,7 +375,6 @@ vir_bytes bytes; /* # of bytes to be copied */
|
|||
#endif
|
||||
}
|
||||
|
||||
|
||||
/*==========================================================================*
|
||||
* numap_local *
|
||||
*==========================================================================*/
|
||||
|
|
Loading…
Reference in a new issue