From: Peter Maydell <peter.mayd...@linaro.org>
If the guest passes us a bogus negative length for an iovec, fail
EINVAL rather than proceeding blindly forward. This fixes some of
the error cases tests for readv and writev in the LTP.
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <r...@twiddle.net>
Signed-off-by: Riku Voipio <riku.voi...@linaro.org>
(cherry picked from commit dfae8e00f8ddeedcda24bd28f71d4fd2a9f988b8)
Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
---
linux-user/syscall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7bc5ba9..b682357 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1776,7 +1776,7 @@ static struct iovec *lock_iovec(int type, abi_ulong
target_addr,
errno = 0;
return NULL;
}
- if (count > IOV_MAX) {
+ if (count < 0 || count > IOV_MAX) {
errno = EINVAL;
return NULL;
}
--
1.7.9.5
