about summary refs log tree commit diff
diff options
context:
space:
mode:
authorPino Toscano <toscano.pino@tiscali.it>2012-05-10 15:32:53 -0700
committerRoland McGrath <roland@hack.frob.com>2012-05-10 15:57:27 -0700
commitc6474b07e7b5f0cdc9089c1c4fcfc4fcaa2bcd92 (patch)
tree59c394e0c9fa8a3bde967e40cea2b6567714483d
parent1043890b10996ec4b14cd01040b82610760d5d4a (diff)
downloadglibc-c6474b07e7b5f0cdc9089c1c4fcfc4fcaa2bcd92.tar.gz
glibc-c6474b07e7b5f0cdc9089c1c4fcfc4fcaa2bcd92.tar.xz
glibc-c6474b07e7b5f0cdc9089c1c4fcfc4fcaa2bcd92.zip
Hurd: _hurd_select: check for invalid parameter values
-rw-r--r--ChangeLog6
-rw-r--r--hurd/hurdselect.c28
2 files changed, 27 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 11fdd81c12..d244bdb82f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2012-05-10  Pino Toscano  <toscano.pino@tiscali.it>
+
+	* hurd/hurdselect.c (_hurd_select): Return EINVAL for negative
+	TIMEOUT values.  Return EINVAL for NFDS values either negative or
+	greater than FD_SETSIZE.
+
 2012-05-10  Samuel Thibault  <samuel.thibault@ens-lyon.org>
 
 	* sysdeps/mach/hurd/brk.c (_hurd_set_brk): When more space needs to be
diff --git a/hurd/hurdselect.c b/hurd/hurdselect.c
index 25d9d9f23a..21ba5f42a4 100644
--- a/hurd/hurdselect.c
+++ b/hurd/hurdselect.c
@@ -1,6 +1,5 @@
 /* Guts of both `select' and `poll' for Hurd.
-   Copyright (C) 1991,92,93,94,95,96,97,98,99,2001
-   	Free Software Foundation, Inc.
+   Copyright (C) 1991-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -49,10 +48,7 @@ _hurd_select (int nfds,
   error_t err;
   fd_set rfds, wfds, xfds;
   int firstfd, lastfd;
-  mach_msg_timeout_t to = (timeout != NULL ?
-			   (timeout->tv_sec * 1000 +
-			    (timeout->tv_nsec + 999999) / 1000000) :
-			   0);
+  mach_msg_timeout_t to = 0;
   struct
     {
       struct hurd_userlink ulink;
@@ -71,6 +67,24 @@ _hurd_select (int nfds,
   assert (sizeof (union typeword) == sizeof (mach_msg_type_t));
   assert (sizeof (uint32_t) == sizeof (mach_msg_type_t));
 
+  if (nfds < 0 || nfds > FD_SETSIZE)
+    {
+      errno = EINVAL;
+      return -1;
+    }
+
+  if (timeout != NULL)
+    {
+      if (timeout->tv_sec < 0 || timeout->tv_nsec < 0)
+	{
+	  errno = EINVAL;
+	  return -1;
+	}
+
+      to = (timeout->tv_sec * 1000 +
+            (timeout->tv_nsec + 999999) / 1000000);
+    }
+
   if (sigmask && __sigprocmask (SIG_SETMASK, sigmask, &oset))
     return -1;
 
@@ -364,7 +378,7 @@ _hurd_select (int nfds,
 		}
 
 	      /* Look up the respondent's reply port and record its
-                 readiness.  */
+		 readiness.  */
 	      {
 		int had = got;
 		if (firstfd != -1)