Commit 9298163f authored by Andreas Schwab's avatar Andreas Schwab Committed by David Mosberger

[PATCH] ia64: Missing overflow check in mmap

Calling mmap with len == -1 was silently accepted.  The test in the generic
code was fixed in July 2003, but the fix didn't make it into the ia64-
specific code.
parent 0c5d6e19
...@@ -201,10 +201,16 @@ do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, un ...@@ -201,10 +201,16 @@ do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, un
* A zero mmap always succeeds in Linux, independent of whether or not the * A zero mmap always succeeds in Linux, independent of whether or not the
* remaining arguments are valid. * remaining arguments are valid.
*/ */
len = PAGE_ALIGN(len);
if (len == 0) if (len == 0)
goto out; goto out;
/* Careful about overflows.. */
len = PAGE_ALIGN(len);
if (!len || len > TASK_SIZE) {
addr = -EINVAL;
goto out;
}
/* /*
* Don't permit mappings into unmapped space, the virtual page table of a region, * Don't permit mappings into unmapped space, the virtual page table of a region,
* or across a region boundary. Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE * or across a region boundary. Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment