Attachment #39665 for bug #90499

View | Details | Raw Unified | Return to bug 90499
Collapse All | Expand All

Lines 95-101 Link Here

(-)linux-2.6.5/arch/ia64/ia32/sys_ia32.c-o (-5 / +8 lines)
95	static DECLARE_MUTEX(ia32_mmap_sem);	95	static DECLARE_MUTEX(ia32_mmap_sem);
96		96
97	static int	97	static int
98	nargs (unsigned int arg, char **ap)	98	nargs (unsigned int arg, char **ap, int max)
99	{	99	{
100	unsigned int addr;	100	unsigned int addr;
101	int n, err;	101	int n, err;
Lines 108-113 Link Here
108	err = get_user(addr, (unsigned int *)A(arg));	108	err = get_user(addr, (unsigned int *)A(arg));
109	if (err)	109	if (err)
110	return err;	110	return err;
		111	if (n > max)
		112	return -E2BIG;
111	if (ap)	113	if (ap)
112	ap++ = (char ) A(addr);	114	ap++ = (char ) A(addr);
113	arg += sizeof(unsigned int);	115	arg += sizeof(unsigned int);
Lines 125-134 Link Here
125	int na, ne, len;	127	int na, ne, len;
126	long r;	128	long r;
127		129
128	na = nargs(argv, NULL);	130	/* Allocates upto 2x MAX_ARG_PAGES */
		131	na = nargs(argv, NULL, (MAX_ARG_PAGESPAGE_SIZE) / sizeof(char ) - 1);
129	if (na < 0)	132	if (na < 0)
130	return na;	133	return na;
131	ne = nargs(envp, NULL);	134	ne = nargs(envp, NULL, (MAX_ARG_PAGESPAGE_SIZE) / sizeof(char ) - 1 );
132	if (ne < 0)	135	if (ne < 0)
133	return ne;	136	return ne;
134	len = (na + ne + 2) * sizeof(*av);	137	len = (na + ne + 2) * sizeof(*av);
Lines 140-149 Link Here
140	av[na] = NULL;	143	av[na] = NULL;
141	ae[ne] = NULL;	144	ae[ne] = NULL;
142		145
143	r = nargs(argv, av);	146	r = nargs(argv, av, na);
144	if (r < 0)	147	if (r < 0)
145	goto out;	148	goto out;
146	r = nargs(envp, ae);	149	r = nargs(envp, ae, ne);
147	if (r < 0)	150	if (r < 0)
148	goto out;	151	goto out;
149		152

Lines 1218-1224 Link Here

(-)linux-2.6.5/arch/x86_64/ia32/sys_ia32.c-o (-7 / +8 lines)
1218	return ret;	1218	return ret;
1219	}	1219	}
1220		1220
1221	static int nargs(u32 src, char **dst)	1221	static int nargs(u32 src, char **dst, unsigned max)
1222	{	1222	{
1223	int cnt;	1223	int cnt;
1224	u32 val;	1224	u32 val;
Lines 1228-1239 Link Here
1228	int ret = get_user(val, (__u32 *)(u64)src);	1228	int ret = get_user(val, (__u32 *)(u64)src);
1229	if (ret)	1229	if (ret)
1230	return ret;	1230	return ret;
		1231	if (cnt > max)
		1232	return -E2BIG;
1231	if (dst)	1233	if (dst)
1232	dst[cnt] = (char *)(u64)val;	1234	dst[cnt] = (char *)(u64)val;
1233	cnt++;	1235	cnt++;
1234	src += 4;	1236	src += 4;
1235	if (cnt >= (MAX_ARG_PAGESPAGE_SIZE)/sizeof(void))
1236	return -E2BIG;
1237	} while(val);	1237	} while(val);
1238	if (dst)	1238	if (dst)
1239	dst[cnt-1] = 0;	1239	dst[cnt-1] = 0;
Lines 1248-1260 Link Here
1248	int ret;	1248	int ret;
1249	unsigned sz = 0;	1249	unsigned sz = 0;
1250		1250
		1251	/* RED-PEN We actually allocate 2 * MAX_ARG_PAGES max */
1251	if (argv) {	1252	if (argv) {
1252	na = nargs(argv, NULL);	1253	na = nargs(argv, NULL, (MAX_ARG_PAGESPAGE_SIZE)/sizeof(void) - 1);
1253	if (na < 0)	1254	if (na < 0)
1254	return -EFAULT;	1255	return -EFAULT;
1255	}	1256	}
1256	if (envp) {	1257	if (envp) {
1257	ne = nargs(envp, NULL);	1258	ne = nargs(envp, NULL, (MAX_ARG_PAGESPAGE_SIZE)/sizeof(void) - 1);
1258	if (ne < 0)	1259	if (ne < 0)
1259	return -EFAULT;	1260	return -EFAULT;
1260	}	1261	}
Lines 1270-1282 Link Here
1270	}	1271	}
1271		1272
1272	if (argv) {	1273	if (argv) {
1273	ret = nargs(argv, buf);	1274	ret = nargs(argv, buf, na);
1274	if (ret < 0)	1275	if (ret < 0)
1275	goto free;	1276	goto free;
1276	}	1277	}
1277		1278
1278	if (envp) {	1279	if (envp) {
1279	ret = nargs(envp, buf + na);	1280	ret = nargs(envp, buf + na, ne);
1280	if (ret < 0)	1281	if (ret < 0)
1281	goto free;	1282	goto free;
1282	}	1283	}

Return to bug 90499