Attachment #39007 for bug #90499

View | Details | Raw Unified | Return to bug 90499
Collapse All | Expand All




	return ret;
} 

static int nargs(u32 src, char **dst, unsigned max) 
{ 
	int cnt;
	u32 val; 

			dst[cnt] = (char *)(u64)val; 
		cnt++;
		src += 4;
		if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *) || (max && cnt >= max))
			return -E2BIG; 
	} while(val); 
	if (dst)

	unsigned sz = 0; 
	
	if (argv) {
	na = nargs(argv, NULL, 0); 
	if (na < 0) 
		return -EFAULT; 
	} 	
	if (envp) { 
	ne = nargs(envp, NULL, 0); 
	if (ne < 0) 
		return -EFAULT; 
	}

	} 
	
	if (argv) { 
	ret = nargs(argv, buf, na);
	if (ret < 0)
		goto free;
	}

	if (envp) { 
	ret = nargs(envp, buf + na, ne); 
	if (ret < 0)
		goto free; 
	}




static DECLARE_MUTEX(ia32_mmap_sem);

static int
nargs (unsigned int arg, char **ap, unsigned max)
{
	unsigned int addr;
	int n, err;

			*ap++ = (char *) A(addr);
		arg += sizeof(unsigned int);
		n++;
		if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *) || (max && cnt >= max))
			return -E2BIG;
	} while (addr);
	return n - 1;

	int na, ne, len;
	long r;

	na = nargs(argv, NULL, 0);
	if (na < 0)
		return na;
	ne = nargs(envp, NULL, 0);
	if (ne < 0)
		return ne;
	len = (na + ne + 2) * sizeof(*av);

	av[na] = NULL;
	ae[ne] = NULL;

	r = nargs(argv, av, na);
	if (r < 0)
		goto out;
	r = nargs(envp, ae, ne);
	if (r < 0)
		goto out;


Return to bug 90499

Lines 2200-2206 Link Here

(-)linux-2.4.31/arch/x86_64/ia32/sys_ia32.c-o (-6 / +6 lines)
2200	return ret;	2200	return ret;
2201	}	2201	}
2202		2202
2203	static int nargs(u32 src, char **dst)	2203	static int nargs(u32 src, char **dst, unsigned max)
2204	{	2204	{
2205	int cnt;	2205	int cnt;
2206	u32 val;	2206	u32 val;
Lines 2214-2220 Link Here
2214	dst[cnt] = (char *)(u64)val;	2214	dst[cnt] = (char *)(u64)val;
2215	cnt++;	2215	cnt++;
2216	src += 4;	2216	src += 4;
2217	if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))	2217	if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *) \|\| (max && cnt >= max))
2218	return -E2BIG;	2218	return -E2BIG;
2219	} while(val);	2219	} while(val);
2220	if (dst)	2220	if (dst)
Lines 2231-2242 Link Here
2231	unsigned sz = 0;	2231	unsigned sz = 0;
2232		2232
2233	if (argv) {	2233	if (argv) {
2234	na = nargs(argv, NULL);	2234	na = nargs(argv, NULL, 0);
2235	if (na < 0)	2235	if (na < 0)
2236	return -EFAULT;	2236	return -EFAULT;
2237	}	2237	}
2238	if (envp) {	2238	if (envp) {
2239	ne = nargs(envp, NULL);	2239	ne = nargs(envp, NULL, 0);
2240	if (ne < 0)	2240	if (ne < 0)
2241	return -EFAULT;	2241	return -EFAULT;
2242	}	2242	}
Lines 2252-2264 Link Here
2252	}	2252	}
2253		2253
2254	if (argv) {	2254	if (argv) {
2255	ret = nargs(argv, buf);	2255	ret = nargs(argv, buf, na);
2256	if (ret < 0)	2256	if (ret < 0)
2257	goto free;	2257	goto free;
2258	}	2258	}
2259		2259
2260	if (envp) {	2260	if (envp) {
2261	ret = nargs(envp, buf + na);	2261	ret = nargs(envp, buf + na, ne);
2262	if (ret < 0)	2262	if (ret < 0)
2263	goto free;	2263	goto free;
2264	}	2264	}

Lines 94-100 Link Here

(-)linux-2.4.31/arch/ia64/ia32/sys_ia32.c-o (-6 / +6 lines)
94	static DECLARE_MUTEX(ia32_mmap_sem);	94	static DECLARE_MUTEX(ia32_mmap_sem);
95		95
96	static int	96	static int
97	nargs (unsigned int arg, char **ap)	97	nargs (unsigned int arg, char **ap, unsigned max)
98	{	98	{
99	unsigned int addr;	99	unsigned int addr;
100	int n, err;	100	int n, err;
Lines 111-117 Link Here
111	ap++ = (char ) A(addr);	111	ap++ = (char ) A(addr);
112	arg += sizeof(unsigned int);	112	arg += sizeof(unsigned int);
113	n++;	113	n++;
114	if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))	114	if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *) \|\| (max && cnt >= max))
115	return -E2BIG;	115	return -E2BIG;
116	} while (addr);	116	} while (addr);
117	return n - 1;	117	return n - 1;
Lines 128-137 Link Here
128	int na, ne, len;	128	int na, ne, len;
129	long r;	129	long r;
130		130
131	na = nargs(argv, NULL);	131	na = nargs(argv, NULL, 0);
132	if (na < 0)	132	if (na < 0)
133	return na;	133	return na;
134	ne = nargs(envp, NULL);	134	ne = nargs(envp, NULL, 0);
135	if (ne < 0)	135	if (ne < 0)
136	return ne;	136	return ne;
137	len = (na + ne + 2) * sizeof(*av);	137	len = (na + ne + 2) * sizeof(*av);
Lines 143-152 Link Here
143	av[na] = NULL;	143	av[na] = NULL;
144	ae[ne] = NULL;	144	ae[ne] = NULL;
145		145
146	r = nargs(argv, av);	146	r = nargs(argv, av, na);
147	if (r < 0)	147	if (r < 0)
148	goto out;	148	goto out;
149	r = nargs(envp, ae);	149	r = nargs(envp, ae, ne);
150	if (r < 0)	150	if (r < 0)
151	goto out;	151	goto out;
152		152