On 02/02/2013 04:04 PM, dill...@dillona.com wrote:
> From: Dillon Amburgey <dill...@dillona.com>
> 
> Signed-off-by: Dillon Amburgey <dill...@dillona.com>
> ---
>  linux-user/syscall.c |   22 ++++++++++++----------
>  1 files changed, 12 insertions(+), 10 deletions(-)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index a148d9f..7344052 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -7653,18 +7653,20 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
> arg1,
>          {
>              int gidsetsize = arg1;
>              target_id *target_grouplist;
> -            gid_t *grouplist;
> +            gid_t *grouplist = NULL;
>              int i;
> -
> -            grouplist = alloca(gidsetsize * sizeof(gid_t));
> -            target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize * 2, 
> 1);
> -            if (!target_grouplist) {
> -                ret = -TARGET_EFAULT;
> -                goto fail;
> +            if (gidsetsize) {
> +                grouplist = alloca(gidsetsize * sizeof(gid_t));

Is this alloca() safe, or are you risking stack overflow if the user
passes an extremely large arg1?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to