diff options
author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2012-05-10 13:26:40 -0700 |
---|---|---|
committer | Roland McGrath <roland@hack.frob.com> | 2012-05-10 15:57:23 -0700 |
commit | 6753048948b86f3b045710f77e1616b348562fa9 (patch) | |
tree | 8326ae5092ddb035ad2aa29d7bf79f4a87e09772 /sysdeps/mach/hurd/ioctl.c | |
parent | 18bad2ae1bd1797782d51231d24f7b773c2bfff6 (diff) | |
download | glibc-6753048948b86f3b045710f77e1616b348562fa9.tar.gz glibc-6753048948b86f3b045710f77e1616b348562fa9.tar.xz glibc-6753048948b86f3b045710f77e1616b348562fa9.zip |
Hurd: ioctl() incorrectly decodes argument
Diffstat (limited to 'sysdeps/mach/hurd/ioctl.c')
-rw-r--r-- | sysdeps/mach/hurd/ioctl.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/sysdeps/mach/hurd/ioctl.c b/sysdeps/mach/hurd/ioctl.c index beffe4365e..543d437c1e 100644 --- a/sysdeps/mach/hurd/ioctl.c +++ b/sysdeps/mach/hurd/ioctl.c @@ -1,5 +1,4 @@ -/* Copyright (C) 1992,93,94,95,96,97,99,2000,2002,2005 - Free Software Foundation, Inc. +/* Copyright (C) 1992-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -88,7 +87,7 @@ __ioctl (int fd, unsigned long int request, ...) void *p; #endif - void *arg; + void *arg = NULL; error_t err; @@ -111,7 +110,7 @@ __ioctl (int fd, unsigned long int request, ...) if (_IOC_INOUT (request) & IOC_IN) { /* We don't want to advance ARG since it will be used to copy out - too if IOC_OUT is also set. */ + too if IOC_OUT is also set. */ void *argptr = arg; /* Pack an argument into the message buffer. */ @@ -139,7 +138,7 @@ __ioctl (int fd, unsigned long int request, ...) in (_IOT_COUNT1 (type), _IOT_TYPE1 (type)); in (_IOT_COUNT2 (type), _IOT_TYPE2 (type)); } - else if (_IOC_INOUT (request) == IOC_VOID) + else if (_IOC_INOUT (request) == IOC_VOID && _IOT_COUNT0 (type) != 0) { /* The RPC takes a single integer_t argument. Rather than pointing to the value, ARG is the value itself. */ @@ -208,11 +207,15 @@ __ioctl (int fd, unsigned long int request, ...) return msg.header.RetCode; } - va_list ap; + if (_IOT_COUNT0 (type) != 0) + { + /* Data need either be sent, received, or even both. */ + va_list ap; - va_start (ap, request); - arg = va_arg (ap, void *); - va_end (ap); + va_start (ap, request); + arg = va_arg (ap, void *); + va_end (ap); + } { /* Check for a registered handler for REQUEST. */ |