On 02/02/2013 04:04 PM, dill...@dillona.com wrote: > From: Dillon Amburgey <dill...@dillona.com> > > Signed-off-by: Dillon Amburgey <dill...@dillona.com> > --- > linux-user/syscall.c | 22 ++++++++++++---------- > 1 files changed, 12 insertions(+), 10 deletions(-) > > diff --git a/linux-user/syscall.c b/linux-user/syscall.c > index a148d9f..7344052 100644 > --- a/linux-user/syscall.c > +++ b/linux-user/syscall.c > @@ -7653,18 +7653,20 @@ abi_long do_syscall(void *cpu_env, int num, abi_long > arg1, > { > int gidsetsize = arg1; > target_id *target_grouplist; > - gid_t *grouplist; > + gid_t *grouplist = NULL; > int i; > - > - grouplist = alloca(gidsetsize * sizeof(gid_t)); > - target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize * 2, > 1); > - if (!target_grouplist) { > - ret = -TARGET_EFAULT; > - goto fail; > + if (gidsetsize) { > + grouplist = alloca(gidsetsize * sizeof(gid_t));
Is this alloca() safe, or are you risking stack overflow if the user passes an extremely large arg1? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature