Attachment #39949 for bug #90499

View | Details | Raw Unified | Return to bug 90499
Collapse All | Expand All

Lines 94-100 Link Here

(-)linux/arch/ia64/ia32/sys_ia32.c-o (-5 / +8 lines)
94	static DECLARE_MUTEX(ia32_mmap_sem);	94	static DECLARE_MUTEX(ia32_mmap_sem);
95		95
96	static int	96	static int
97	nargs (unsigned int arg, char **ap)	97	nargs (unsigned int arg, char **ap, int max)
98	{	98	{
99	unsigned int addr;	99	unsigned int addr;
100	int n, err;	100	int n, err;
Lines 107-112 Link Here
107	err = get_user(addr, (unsigned int *)A(arg));	107	err = get_user(addr, (unsigned int *)A(arg));
108	if (err)	108	if (err)
109	return err;	109	return err;
		110	if (n > max)
		111	return -E2BIG;
110	if (ap)	112	if (ap)
111	ap++ = (char ) A(addr);	113	ap++ = (char ) A(addr);
112	arg += sizeof(unsigned int);	114	arg += sizeof(unsigned int);
Lines 128-137 Link Here
128	int na, ne, len;	130	int na, ne, len;
129	long r;	131	long r;
130		132
131	na = nargs(argv, NULL);	133	/* Allocates upto 2x MAX_ARG_PAGES */
		134	na = nargs(argv, NULL, (MAX_ARG_PAGESPAGE_SIZE) / sizeof(char ) - 1);
132	if (na < 0)	135	if (na < 0)
133	return na;	136	return na;
134	ne = nargs(envp, NULL);	137	ne = nargs(envp, NULL, (MAX_ARG_PAGESPAGE_SIZE) / sizeof(char ) - 1 );
135	if (ne < 0)	138	if (ne < 0)
136	return ne;	139	return ne;
137	len = (na + ne + 2) * sizeof(*av);	140	len = (na + ne + 2) * sizeof(*av);
Lines 143-152 Link Here
143	av[na] = NULL;	146	av[na] = NULL;
144	ae[ne] = NULL;	147	ae[ne] = NULL;
145		148
146	r = nargs(argv, av);	149	r = nargs(argv, av, na);
147	if (r < 0)	150	if (r < 0)
148	goto out;	151	goto out;
149	r = nargs(envp, ae);	152	r = nargs(envp, ae, ne);
150	if (r < 0)	153	if (r < 0)
151	goto out;	154	goto out;
152		155




	return ret;
} 

static int nargs(u32 src, char **dst, int max) 
{ 
	int cnt;
	u32 val; 

			dst[cnt] = (char *)(u64)val; 
		cnt++;
		src += 4;
		if (cnt > max)
			return -E2BIG; 
	} while(val); 
	if (dst)

	int ret;
	unsigned sz = 0; 
	
	/* Can actually allocate 2*MAX_ARG_PAGES */
	if (argv) {
	na = nargs(argv, NULL, (MAX_ARG_PAGES * PAGE_SIZE)/sizeof(char*) - 1); 
	if (na < 0) 
		return -EFAULT; 
	} 	
	if (envp) { 
	ne = nargs(envp, NULL, (MAX_ARG_PAGES * PAGE_SIZE)/sizeof(char*) - 1); 
	if (ne < 0) 
		return -EFAULT; 
	}

	} 
	
	if (argv) { 
	ret = nargs(argv, buf, na);
	if (ret < 0)
		goto free;
	}

	if (envp) { 
	ret = nargs(envp, buf + na, ne); 
	if (ret < 0)
		goto free; 
	}

Return to bug 90499

Lines 2200-2206 Link Here

(-)linux/arch/x86_64/ia32/sys_ia32.c-o (-6 / +7 lines)
2200	return ret;	2200	return ret;
2201	}	2201	}
2202		2202
2203	static int nargs(u32 src, char **dst)	2203	static int nargs(u32 src, char **dst, int max)
2204	{	2204	{
2205	int cnt;	2205	int cnt;
2206	u32 val;	2206	u32 val;
Lines 2214-2220 Link Here
2214	dst[cnt] = (char *)(u64)val;	2214	dst[cnt] = (char *)(u64)val;
2215	cnt++;	2215	cnt++;
2216	src += 4;	2216	src += 4;
2217	if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))	2217	if (cnt > max)
2218	return -E2BIG;	2218	return -E2BIG;
2219	} while(val);	2219	} while(val);
2220	if (dst)	2220	if (dst)
Lines 2230-2242 Link Here
2230	int ret;	2230	int ret;
2231	unsigned sz = 0;	2231	unsigned sz = 0;
2232		2232
		2233	/* Can actually allocate 2MAX_ARG_PAGES /
2233	if (argv) {	2234	if (argv) {
2234	na = nargs(argv, NULL);	2235	na = nargs(argv, NULL, (MAX_ARG_PAGES * PAGE_SIZE)/sizeof(char*) - 1);
2235	if (na < 0)	2236	if (na < 0)
2236	return -EFAULT;	2237	return -EFAULT;
2237	}	2238	}
2238	if (envp) {	2239	if (envp) {
2239	ne = nargs(envp, NULL);	2240	ne = nargs(envp, NULL, (MAX_ARG_PAGES * PAGE_SIZE)/sizeof(char*) - 1);
2240	if (ne < 0)	2241	if (ne < 0)
2241	return -EFAULT;	2242	return -EFAULT;
2242	}	2243	}
Lines 2252-2264 Link Here
2252	}	2253	}
2253		2254
2254	if (argv) {	2255	if (argv) {
2255	ret = nargs(argv, buf);	2256	ret = nargs(argv, buf, na);
2256	if (ret < 0)	2257	if (ret < 0)
2257	goto free;	2258	goto free;
2258	}	2259	}
2259		2260
2260	if (envp) {	2261	if (envp) {
2261	ret = nargs(envp, buf + na);	2262	ret = nargs(envp, buf + na, ne);
2262	if (ret < 0)	2263	if (ret < 0)
2263	goto free;	2264	goto free;
2264	}	2265	}