The msgsnd system call takes an argument that describes the message size (msgsz) and is of type size_t. The system call should set errno to EINVAL in the event that a negative message size is passed.
Signed-off-by: Tom Musta <tommu...@gmail.com> Reviewed-by: Peter Maydell <peter.mayd...@linaro.org> --- linux-user/syscall.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 04f4820..79fb3cb 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -2874,12 +2874,16 @@ struct target_msgbuf { }; static inline abi_long do_msgsnd(int msqid, abi_long msgp, - unsigned int msgsz, int msgflg) + ssize_t msgsz, int msgflg) { struct target_msgbuf *target_mb; struct msgbuf *host_mb; abi_long ret = 0; + if (msgsz < 0) { + return -TARGET_EINVAL; + } + if (!lock_user_struct(VERIFY_READ, target_mb, msgp, 0)) return -TARGET_EFAULT; host_mb = malloc(msgsz+sizeof(long)); -- 1.7.1