diff options
| author | mjg <mjg@FreeBSD.org> | 2015-10-08 21:08:35 +0000 |
|---|---|---|
| committer | mjg <mjg@FreeBSD.org> | 2015-10-08 21:08:35 +0000 |
| commit | d8dc4fc1aee9496d2cf7e47e81eb24533c2045a1 (patch) | |
| tree | 6610c85c782f0f277876c6a9ac9804db4fc3cdd9 /sys/i386 | |
| parent | d1d774415709780ebddcecdef527f909484ec184 (diff) | |
| download | FreeBSD-src-d8dc4fc1aee9496d2cf7e47e81eb24533c2045a1.zip FreeBSD-src-d8dc4fc1aee9496d2cf7e47e81eb24533c2045a1.tar.gz | |
linux: fix handling of out-of-bounds syscall attempts
Due to an off by one the code would read an entry past the table, as
opposed to the last entry which contains the nosys handler.
Reported by: Pawel Biernacki <pawel.biernacki gmail.com>
Diffstat (limited to 'sys/i386')
| -rw-r--r-- | sys/i386/linux/linux_sysvec.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c index acf23ac..dad8160 100644 --- a/sys/i386/linux/linux_sysvec.c +++ b/sys/i386/linux/linux_sysvec.c @@ -866,7 +866,7 @@ linux_fetch_syscall_args(struct thread *td, struct syscall_args *sa) if (sa->code >= p->p_sysent->sv_size) /* nosys */ - sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL]; + sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1] else sa->callp = &p->p_sysent->sv_table[sa->code]; sa->narg = sa->callp->sy_narg; |
