From: Peter Maydell <peter.maydell@linaro.org>
Date: Fri, 8 Feb 2013 07:58:41 +0000 (+0000)
Subject: linux-user: make bogus negative iovec lengths fail EINVAL
X-Git-Tag: v1.4.1~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8378910554a03d54c22ab46cfaec491ee95b8315;p=thirdparty%2Fqemu.git

linux-user: make bogus negative iovec lengths fail EINVAL

If the guest passes us a bogus negative length for an iovec, fail
EINVAL rather than proceeding blindly forward. This fixes some of
the error cases tests for readv and writev in the LTP.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
(cherry picked from commit dfae8e00f8ddeedcda24bd28f71d4fd2a9f988b8)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7bc5ba9acff..b682357629f 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1776,7 +1776,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr,
         errno = 0;
         return NULL;
     }
-    if (count > IOV_MAX) {
+    if (count < 0 || count > IOV_MAX) {
         errno = EINVAL;
         return NULL;
     }