When ldt equals zero, and default branch is taken from the switch
statement, and sel is not equal to zero, comparison results in
a dereference of a null pointer. Avoid this.
* i386/i386/user_ldt.c (ldt): Check if it equals zero.
---
i386/i386/user_ldt.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/i386/i386/user_ldt.c b/i386/i386/user_ldt.c
index 74c10a4..7afa5c9 100644
--- a/i386/i386/user_ldt.c
+++ b/i386/i386/user_ldt.c
@@ -79,9 +79,10 @@ boolean_t selector_check(thread, sel, type)
if (type != S_DATA && sel == 0)
return FALSE;
- if ((sel & (SEL_LDT|SEL_PL)) != (SEL_LDT|SEL_PL_U)
- || sel > ldt->desc.limit_low)
- return FALSE;
+ if (ldt != 0)
+ if ((sel & (SEL_LDT|SEL_PL)) != (SEL_LDT|SEL_PL_U)
+ || sel > ldt->desc.limit_low)
+ return FALSE;
access = ldt->ldt[sel_idx(sel)].access;
--
1.8.1.4
