A bug in semctl()

[李尚杰]

In file kern/sysv_sem.c:
554 __semctl(td, uap)
555         struct thread *td;
556         struct __semctl_args *uap;
557 {
558         int semid = uap->semid; <<<here 1
559         int semnum = uap->semnum;
560         int cmd = uap->cmd;
561         u_short *array;
562         union semun *arg = uap->arg;
563         union semun real_arg;
564         struct ucred *cred = td->td_ucred;
565         int i, rval, error;
566         struct semid_ds sbuf;
567         struct semid_kernel *semakptr;
568         struct mtx *sema_mtxp;
569         u_short usval, count;
570
571         DPRINTF(("call to semctl(%d, %d, %d, 0x%x)\n",
572             semid, semnum, cmd, arg));
573         if (!jail_sysvipc_allowed && jailed(td->td_ucred))
574                 return (ENOSYS);
575
576         array = NULL;
577
578         switch(cmd) {
579         case SEM_STAT:
580                 if (semid < 0 || semid >= seminfo.semmni) <<<here 2
581                         return (EINVAL);
582                 if ((error = copyin(arg, &real_arg, sizeof(real_arg))) != 0)
583                         return (error);
584                 semakptr = &sema[semid];<<<here 3

>From line 558 to line 578, there must be a mechism to convert the
sem_id to the internal sema array index. In fact, it was missing,
which make the semctl syscall not work well.
-- 
--
|Best regards.
|Shangjie, Li (Ph.D candidate)
|Institute of Software, Chinese Academy of Sciences,
|P.O. Box 8718, Beijing 100080, CHINA
|Phone: (8610)62561197/62635158-1008(O), 82680528(H)
|Email: shangjie02 at ios.cn
>---------------------------------------------------<