From 062f40ef3e56021f4a9902095867e35cce6d99c4 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Fri, 28 Jun 2013 23:57:58 -0400
Subject: work around wrong kernel type for sem_nsems member of struct semid_ds

rejecting invalid values for n is fine even in the case where a new
sem will not be created, since the kernel does its range checks on n
even in this case as well.

by default, the kernel will bound the limit well below USHRT_MAX
anyway, but it's presumably possible that an administrator could
override this limit and break things.
---
 src/ipc/semget.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/ipc')

diff --git a/src/ipc/semget.c b/src/ipc/semget.c
index 5f110e3b..c4a559db 100644
--- a/src/ipc/semget.c
+++ b/src/ipc/semget.c
@@ -1,9 +1,16 @@
 #include <sys/sem.h>
+#include <limits.h>
+#include <errno.h>
 #include "syscall.h"
 #include "ipc.h"
 
 int semget(key_t key, int n, int fl)
 {
+	/* The kernel uses the wrong type for the sem_nsems member
+	 * of struct semid_ds, and thus might not check that the
+	 * n fits in the correct (per POSIX) userspace type, so
+	 * we have to check here. */
+	if (n > USHRT_MAX) return __syscall_ret(-EINVAL);
 #ifdef SYS_semget
 	return syscall(SYS_semget, key, n, fl);
 #else
-- 
cgit v1.2.1