lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20130826134159.d033956c339cbd0bb7cb6f7f@linux-foundation.org>
Date:	Mon, 26 Aug 2013 13:41:59 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Svenning Sørensen <sss@...omea.dk>
Cc:	linux-kernel@...r.kernel.org,
	Peter Hurley <peter@...leysoftware.com>
Subject: Re: [PATCH] IPC: bugfix for msgrcv with msgtyp < 0

On Sat, 24 Aug 2013 13:44:49 +0200 Svenning S__rensen <sss@...omea.dk> wrote:

> According to 'man msgrcv':
> "If msgtyp is less than 0, the first message of the lowest type that is less
> than or equal to the absolute value of msgtyp shall be received."
> 
> Bug: The kernel only returns a message if its type is 1; other messages with
> type < abs(msgtype) will never get returned.
> 
> Fix: After having traversed the list to find the first message with the
> lowest type, we need to actually return that message.
> 
> Signed-off-by: Svenning Soerensen <sss@...omea.dk>
> 
> diff --git a/ipc/msg.c b/ipc/msg.c
> index bd60d7e..9f29d9e 100644
> --- a/ipc/msg.c
> +++ b/ipc/msg.c
> @@ -839,7 +839,7 @@ static inline void free_copy(struct msg_msg *copy)
>   
>   static struct msg_msg *find_msg(struct msg_queue *msq, long *msgtyp, int mode)
>   {
> -	struct msg_msg *msg;
> +	struct msg_msg *msg, *found = NULL;
>   	long count = 0;
>   
>   	list_for_each_entry(msg, &msq->q_messages, m_list) {
> @@ -848,6 +848,7 @@ static struct msg_msg *find_msg(struct msg_queue *msq, long *msgtyp, int mode)
>   					       *msgtyp, mode)) {
>   			if (mode == SEARCH_LESSEQUAL && msg->m_type != 1) {
>   				*msgtyp = msg->m_type - 1;
> +				found = msg;

Should we continue the search in this case, or should the code
immediately return this message?

>   			} else if (mode == SEARCH_NUMBER) {
>   				if (*msgtyp == count)
>   					return msg;
> @@ -857,7 +858,7 @@ static struct msg_msg *find_msg(struct msg_queue *msq, long *msgtyp, int mode)
>   		}
>   	}
>   
> -	return ERR_PTR(-EAGAIN);
> +	return found ?: ERR_PTR(-EAGAIN);
>   }
>   
>   long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgflg,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ