Attachment #51304 for bug #78362




#define __CMSG32_FIRSTHDR(ctl,len) \
	((len) >= sizeof(struct cmsghdr32) ? (struct cmsghdr32 *)(ctl) : (struct cmsghdr32 *)NULL)
#define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
	((ucmlen) >= sizeof(struct cmsghdr) && \
	 (ucmlen) <= (unsigned long) \
	 ((mhdr)->msg_controllen - \
	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))

static inline struct cmsghdr32 *
__cmsg32_nxthdr (void *ctl, __kernel_size_t size, struct cmsghdr32 *cmsg, int cmsg_len)

			return -EFAULT;

		/* Catch bogons. */
		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
			return -EINVAL;
		if ((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control) + ucmlen)
		    > kmsg->msg_controllen)
			return -EINVAL;

		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +




				    (struct cmsghdr32 *)(ctl) : \
				    (struct cmsghdr32 *)NULL)
#define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
	((ucmlen) >= sizeof(struct cmsghdr) && \
	 (ucmlen) <= (unsigned long) \
	 ((mhdr)->msg_controllen - \
	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))


__inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
					      struct cmsghdr32 *__cmsg, int __cmsg_len)

			return -EFAULT;

		/* Catch bogons. */
		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
			return -ENOBUFS;
		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
				   + ucmlen) > kmsg->msg_controllen)
			return -EINVAL;

		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +




				    (struct cmsghdr32 *)(ctl) : \
				    (struct cmsghdr32 *)NULL)
#define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
	((ucmlen) >= sizeof(struct cmsghdr) && \
	 (ucmlen) <= (unsigned long) \
	 ((mhdr)->msg_controllen - \
	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))

__inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
					      struct cmsghdr32 *__cmsg, int __cmsg_len)

			return -EFAULT;

		/* Catch bogons. */
		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
			return -EINVAL;
		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
				   + ucmlen) > kmsg->msg_controllen)
			return -EINVAL;

		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +




				    (struct cmsghdr32 *)(ctl) : \
				    (struct cmsghdr32 *)NULL)
#define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
	((ucmlen) >= sizeof(struct cmsghdr) && \
	 (ucmlen) <= (unsigned long) \
	 ((mhdr)->msg_controllen - \
	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))

struct msghdr32
{

			return -EFAULT;

		/* Catch bogons. */
		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
			return -EINVAL;
		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
				   + ucmlen) > kmsg->msg_controllen)
			return -EINVAL;

		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +




				    (struct cmsghdr32 *)(ctl) : \
				    (struct cmsghdr32 *)NULL)
#define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
	((ucmlen) >= sizeof(struct cmsghdr) && \
	 (ucmlen) <= (unsigned long) \
	 ((mhdr)->msg_controllen - \
	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))

__inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
					      struct cmsghdr32 *__cmsg, int __cmsg_len)

			return -EFAULT;

		/* Catch bogons. */
		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
			return -EINVAL;
		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
				   + ucmlen) > kmsg->msg_controllen)
			return -EINVAL;

		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +




				    (struct cmsghdr32 *)(ctl) : \
				    (struct cmsghdr32 *)NULL)
#define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
	((ucmlen) >= sizeof(struct cmsghdr) && \
	 (ucmlen) <= (unsigned long) \
	 ((mhdr)->msg_controllen - \
	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))

__inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
					      struct cmsghdr32 *__cmsg, int __cmsg_len)

			return -EFAULT;

		/* Catch bogons. */
		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
			return -EINVAL;
		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
				   + ucmlen) > kmsg->msg_controllen)
			return -EINVAL;

		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +




			return -EFAULT;

		/* Catch bogons. */
		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
			return -EINVAL;
		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
				   + ucmlen) > kmsg->msg_controllen)
			return -EINVAL;

		if (kmsg->msg_controllen > 65536) 
			return -EINVAL;


Lines 45-50 Link Here

(-)a/include/asm-x86_64/socket32.h (+5 lines)
45	(struct cmsghdr32 *)(ctl) : \	45	(struct cmsghdr32 *)(ctl) : \
46	(struct cmsghdr32 *)NULL)	46	(struct cmsghdr32 *)NULL)
47	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)	47	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
		48	#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
		49	((ucmlen) >= sizeof(struct cmsghdr) && \
		50	(ucmlen) <= (unsigned long) \
		51	((mhdr)->msg_controllen - \
		52	((char )(ucmsg) - (char )(mhdr)->msg_control)))
48		53
49	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,	54	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,
50	struct cmsghdr32 *__cmsg, int __cmsg_len)	55	struct cmsghdr32 *__cmsg, int __cmsg_len)

Lines 705-710 Link Here

(-)a/drivers/char/console.c (+6 lines)
705	return 0;	705	return 0;
706	}	706	}
707		707
		708	#define VC_RESIZE_MAXCOL (32767)
		709	#define VC_RESIZE_MAXROW (32767)
		710
708	/*	711	/*
709	* Change # of rows and columns (0 means unchanged/the size of fg_console)	712	* Change # of rows and columns (0 means unchanged/the size of fg_console)
710	* [this is to be used together with some user program	713	* [this is to be used together with some user program
Lines 716-721 Link Here
716	unsigned int cc, ll, ss, sr, todo = 0;	719	unsigned int cc, ll, ss, sr, todo = 0;
717	unsigned int currcons = fg_console, i;	720	unsigned int currcons = fg_console, i;
718	unsigned short *newscreens[MAX_NR_CONSOLES];	721	unsigned short *newscreens[MAX_NR_CONSOLES];
		722
		723	if (cols > VC_RESIZE_MAXCOL \|\| lines > VC_RESIZE_MAXROW)
		724	return -EINVAL;
719		725
720	cc = (cols ? cols : video_num_columns);	726	cc = (cols ? cols : video_num_columns);
721	ll = (lines ? lines : video_num_lines);	727	ll = (lines ? lines : video_num_lines);

Return to bug 78362

Lines 1369-1374 Link Here

(-)a/arch/ia64/ia32/sys_ia32.c (-4 / +6 lines)
1369	#define __CMSG32_FIRSTHDR(ctl,len) \	1369	#define __CMSG32_FIRSTHDR(ctl,len) \
1370	((len) >= sizeof(struct cmsghdr32) ? (struct cmsghdr32 )(ctl) : (struct cmsghdr32 )NULL)	1370	((len) >= sizeof(struct cmsghdr32) ? (struct cmsghdr32 )(ctl) : (struct cmsghdr32 )NULL)
1371	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)	1371	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
		1372	#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
		1373	((ucmlen) >= sizeof(struct cmsghdr) && \
		1374	(ucmlen) <= (unsigned long) \
		1375	((mhdr)->msg_controllen - \
		1376	((char )(ucmsg) - (char )(mhdr)->msg_control)))
1372		1377
1373	static inline struct cmsghdr32 *	1378	static inline struct cmsghdr32 *
1374	__cmsg32_nxthdr (void ctl, __kernel_size_t size, struct cmsghdr32 cmsg, int cmsg_len)	1379	__cmsg32_nxthdr (void ctl, __kernel_size_t size, struct cmsghdr32 cmsg, int cmsg_len)
Lines 1429-1438 Link Here
1429	return -EFAULT;	1434	return -EFAULT;
1430		1435
1431	/* Catch bogons. */	1436	/* Catch bogons. */
1432	if (CMSG32_ALIGN(ucmlen) < CMSG32_ALIGN(sizeof(struct cmsghdr32)))	1437	if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
1433	return -EINVAL;
1434	if ((unsigned long)(((char )ucmsg - (char )kmsg->msg_control) + ucmlen)
1435	> kmsg->msg_controllen)
1436	return -EINVAL;	1438	return -EINVAL;
1437		1439
1438	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +	1440	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +

Lines 2483-2488 Link Here

(-)a/arch/mips64/kernel/linux32.c (-5 / +7 lines)
2483	(struct cmsghdr32 *)(ctl) : \	2483	(struct cmsghdr32 *)(ctl) : \
2484	(struct cmsghdr32 *)NULL)	2484	(struct cmsghdr32 *)NULL)
2485	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)	2485	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
		2486	#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
		2487	((ucmlen) >= sizeof(struct cmsghdr) && \
		2488	(ucmlen) <= (unsigned long) \
		2489	((mhdr)->msg_controllen - \
		2490	((char )(ucmsg) - (char )(mhdr)->msg_control)))
		2491
2486		2492
2487	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,	2493	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,
2488	struct cmsghdr32 *__cmsg, int __cmsg_len)	2494	struct cmsghdr32 *__cmsg, int __cmsg_len)
Lines 2623-2633 Link Here
2623	return -EFAULT;	2629	return -EFAULT;
2624		2630
2625	/* Catch bogons. */	2631	/* Catch bogons. */
2626	if(CMSG32_ALIGN(ucmlen) <	2632	if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
2627	CMSG32_ALIGN(sizeof(struct cmsghdr32)))
2628	return -ENOBUFS;
2629	if((unsigned long)(((char )ucmsg - (char )kmsg->msg_control)
2630	+ ucmlen) > kmsg->msg_controllen)
2631	return -EINVAL;	2633	return -EINVAL;
2632		2634
2633	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +	2635	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +

Lines 1814-1819 Link Here

(-)a/arch/parisc/kernel/sys_parisc32.c (-5 / +6 lines)
1814	(struct cmsghdr32 *)(ctl) : \	1814	(struct cmsghdr32 *)(ctl) : \
1815	(struct cmsghdr32 *)NULL)	1815	(struct cmsghdr32 *)NULL)
1816	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)	1816	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
		1817	#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
		1818	((ucmlen) >= sizeof(struct cmsghdr) && \
		1819	(ucmlen) <= (unsigned long) \
		1820	((mhdr)->msg_controllen - \
		1821	((char )(ucmsg) - (char )(mhdr)->msg_control)))
1817		1822
1818	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,	1823	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,
1819	struct cmsghdr32 *__cmsg, int __cmsg_len)	1824	struct cmsghdr32 *__cmsg, int __cmsg_len)
Lines 1940-1950 Link Here
1940	return -EFAULT;	1945	return -EFAULT;
1941		1946
1942	/* Catch bogons. */	1947	/* Catch bogons. */
1943	if(CMSG32_ALIGN(ucmlen) <	1948	if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
1944	CMSG32_ALIGN(sizeof(struct cmsghdr32)))
1945	return -EINVAL;
1946	if((unsigned long)(((char )ucmsg - (char )kmsg->msg_control)
1947	+ ucmlen) > kmsg->msg_controllen)
1948	return -EINVAL;	1949	return -EINVAL;
1949		1950
1950	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +	1951	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +

Lines 3273-3278 Link Here

(-)a/arch/ppc64/kernel/sys_ppc32.c (-5 / +6 lines)
3273	(struct cmsghdr32 *)(ctl) : \	3273	(struct cmsghdr32 *)(ctl) : \
3274	(struct cmsghdr32 *)NULL)	3274	(struct cmsghdr32 *)NULL)
3275	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)	3275	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
		3276	#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
		3277	((ucmlen) >= sizeof(struct cmsghdr) && \
		3278	(ucmlen) <= (unsigned long) \
		3279	((mhdr)->msg_controllen - \
		3280	((char )(ucmsg) - (char )(mhdr)->msg_control)))
3276		3281
3277	struct msghdr32	3282	struct msghdr32
3278	{	3283	{
Lines 3448-3458 Link Here
3448	return -EFAULT;	3453	return -EFAULT;
3449		3454
3450	/* Catch bogons. */	3455	/* Catch bogons. */
3451	if(CMSG32_ALIGN(ucmlen) <	3456	if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
3452	CMSG32_ALIGN(sizeof(struct cmsghdr32)))
3453	return -EINVAL;
3454	if((unsigned long)(((char )ucmsg - (char )kmsg->msg_control)
3455	+ ucmlen) > kmsg->msg_controllen)
3456	return -EINVAL;	3457	return -EINVAL;
3457		3458
3458	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +	3459	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +

Lines 2306-2311 Link Here

(-)a/arch/s390x/kernel/linux32.c (-5 / +6 lines)
2306	(struct cmsghdr32 *)(ctl) : \	2306	(struct cmsghdr32 *)(ctl) : \
2307	(struct cmsghdr32 *)NULL)	2307	(struct cmsghdr32 *)NULL)
2308	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)	2308	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
		2309	#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
		2310	((ucmlen) >= sizeof(struct cmsghdr) && \
		2311	(ucmlen) <= (unsigned long) \
		2312	((mhdr)->msg_controllen - \
		2313	((char )(ucmsg) - (char )(mhdr)->msg_control)))
2309		2314
2310	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,	2315	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,
2311	struct cmsghdr32 *__cmsg, int __cmsg_len)	2316	struct cmsghdr32 *__cmsg, int __cmsg_len)
Lines 2432-2442 Link Here
2432	return -EFAULT;	2437	return -EFAULT;
2433		2438
2434	/* Catch bogons. */	2439	/* Catch bogons. */
2435	if(CMSG32_ALIGN(ucmlen) <	2440	if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
2436	CMSG32_ALIGN(sizeof(struct cmsghdr32)))
2437	return -EINVAL;
2438	if((unsigned long)(((char )ucmsg - (char )kmsg->msg_control)
2439	+ ucmlen) > kmsg->msg_controllen)
2440	return -EINVAL;	2441	return -EINVAL;
2441		2442
2442	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +	2443	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +

Lines 2354-2359 Link Here

(-)a/arch/sparc64/kernel/sys_sparc32.c (-5 / +6 lines)
2354	(struct cmsghdr32 *)(ctl) : \	2354	(struct cmsghdr32 *)(ctl) : \
2355	(struct cmsghdr32 *)NULL)	2355	(struct cmsghdr32 *)NULL)
2356	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)	2356	#define CMSG32_FIRSTHDR(msg) __CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
		2357	#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
		2358	((ucmlen) >= sizeof(struct cmsghdr) && \
		2359	(ucmlen) <= (unsigned long) \
		2360	((mhdr)->msg_controllen - \
		2361	((char )(ucmsg) - (char )(mhdr)->msg_control)))
2357		2362
2358	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,	2363	__inline__ struct cmsghdr32 __cmsg32_nxthdr(void __ctl, __kernel_size_t __size,
2359	struct cmsghdr32 *__cmsg, int __cmsg_len)	2364	struct cmsghdr32 *__cmsg, int __cmsg_len)
Lines 2480-2490 Link Here
2480	return -EFAULT;	2485	return -EFAULT;
2481		2486
2482	/* Catch bogons. */	2487	/* Catch bogons. */
2483	if(CMSG32_ALIGN(ucmlen) <	2488	if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
2484	CMSG32_ALIGN(sizeof(struct cmsghdr32)))
2485	return -EINVAL;
2486	if((unsigned long)(((char )ucmsg - (char )kmsg->msg_control)
2487	+ ucmlen) > kmsg->msg_controllen)
2488	return -EINVAL;	2489	return -EINVAL;
2489		2490
2490	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +	2491	tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +

Lines 136-147 Link Here

(-)a/arch/x86_64/ia32/socket32.c (-5 / +2 lines)
136	return -EFAULT;	136	return -EFAULT;
137		137
138	/* Catch bogons. */	138	/* Catch bogons. */
139	if(CMSG32_ALIGN(ucmlen) <	139	if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
140	CMSG32_ALIGN(sizeof(struct cmsghdr32)))
141	return -EINVAL;
142	if((unsigned long)(((char )ucmsg - (char )kmsg->msg_control)
143	+ ucmlen) > kmsg->msg_controllen)
144	return -EINVAL;	140	return -EINVAL;
		141
145	if (kmsg->msg_controllen > 65536)	142	if (kmsg->msg_controllen > 65536)
146	return -EINVAL;	143	return -EINVAL;
147		144