svn commit: r324438 - head/sys/i386/i386

Konstantin Belousov kib at FreeBSD.org
Mon Oct 9 16:19:28 UTC 2017 

Author: kib
Date: Mon Oct  9 16:19:26 2017
New Revision: 324438
URL: https://svnweb.freebsd.org/changeset/base/324438

Log:
  Change i386_get_ldt() to return 'EOF' when the requested range of
  descriptors does not fit into currently allocated LDT, or trim the
  return if the range fits partially.  Before, the function returned
  EINVAL.
  
  Fix two bugs in r324366: use capped num counter for malloc size, and
  do not leak allocated buffer on EINVAL (by handling EINVAL case as
  normal, see above).
  
  Reviewed by:	bde
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week

Modified:
  head/sys/i386/i386/sys_machdep.c

Modified: head/sys/i386/i386/sys_machdep.c
==============================================================================
--- head/sys/i386/i386/sys_machdep.c	Mon Oct  9 16:07:27 2017	(r324437)
+++ head/sys/i386/i386/sys_machdep.c	Mon Oct  9 16:19:26 2017	(r324438)
@@ -534,23 +534,20 @@ i386_get_ldt(struct thread *td, struct i386_ldt_args *
 	    uap->start, uap->num, (void *)uap->descs);
 #endif
 
-	if (uap->start >= MAX_LD)
-		return (EINVAL);
-	num = min(uap->num, MAX_LD - uap->start);
-	data = malloc(uap->num * sizeof(union descriptor), M_TEMP, M_WAITOK);
+	num = min(uap->num, MAX_LD);
+	data = malloc(num * sizeof(union descriptor), M_TEMP, M_WAITOK);
 	mtx_lock_spin(&dt_lock);
 	pldt = td->td_proc->p_md.md_ldt;
 	nldt = pldt != NULL ? pldt->ldt_len : nitems(ldt);
-	num = min(num, nldt);
-	if (uap->start > nldt || uap->start + num > nldt) {
-		mtx_unlock_spin(&dt_lock);
-		return (EINVAL);
+	if (uap->start >= nldt) {
+		num = 0;
+	} else {
+		num = min(num, nldt - uap->start);
+		bcopy(pldt != NULL ?
+		    &((union descriptor *)(pldt->ldt_base))[uap->start] :
+		    &ldt[uap->start], data, num * sizeof(union descriptor));
 	}
-	bcopy(pldt != NULL ?
-	    &((union descriptor *)(pldt->ldt_base))[uap->start] :
-	    &ldt[uap->start], data, num * sizeof(union descriptor));
 	mtx_unlock_spin(&dt_lock);
-
 	error = copyout(data, uap->descs, num * sizeof(union descriptor));
 	if (error == 0)
 		td->td_retval[0] = num;

More information about the svn-src-all mailing list