Calling mmap with len == -1 was silently accepted. Andreas. --- linux-2.6.5/arch/ia64/kernel/sys_ia64.c.~1~ 2004-04-04 05:37:23.000000000 +0200 +++ linux-2.6.5/arch/ia64/kernel/sys_ia64.c 2004-04-05 18:16:24.424002264 +0200 @@ -201,10 +201,16 @@ do_mmap2 (unsigned long addr, unsigned l * A zero mmap always succeeds in Linux, independent of whether or not the * remaining arguments are valid. */ - len = PAGE_ALIGN(len); if (len == 0) goto out; + /* Careful about overflows.. */ + len = PAGE_ALIGN(len); + if (!len || len > TASK_SIZE) { + addr = -EINVAL; + goto out; + } + /* * Don't permit mappings into unmapped space, the virtual page table of a region, * or across a region boundary. Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE -- Andreas Schwab, SuSE Labs, schwab@suse.de SuSE Linux AG, Maxfeldstraße 5, 90409 Nürnberg, Germany Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different." - To unsubscribe from this list: send the line "unsubscribe linux-ia64" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.htmlReceived on Mon Apr 5 12:55:29 2004
This archive was generated by hypermail 2.1.8 : 2005-08-02 09:20:25 EST