The msgsnd system call takes an argument that describes the message
size (msgsz) and is of type size_t. The system call should set
errno to EINVAL in the event that a negative message size is passed.
Signed-off-by: Tom Musta <tommu...@gmail.com>
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index c0c0434..f524a39 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2870,12 +2870,16 @@ struct target_msgbuf {
};
static inline abi_long do_msgsnd(int msqid, abi_long msgp,
- unsigned int msgsz, int msgflg)
+ ssize_t msgsz, int msgflg)
{
struct target_msgbuf *target_mb;
struct msgbuf *host_mb;
abi_long ret = 0;
+ if (msgsz < 0) {
+ return -TARGET_EINVAL;
+ }
+
if (!lock_user_struct(VERIFY_READ, target_mb, msgp, 0))
return -TARGET_EFAULT;
host_mb = malloc(msgsz+sizeof(long));
--
1.7.1
