X-Git-Url: http://nsz.repo.hu/git/?a=blobdiff_plain;f=src%2Fipc%2Fsemget.c;h=c4a559db1b0ec1316dc2fa9bc47a538ea552d94a;hb=17276be31692880e56c93132e5d85fa9dd6c003f;hp=530c75ffa26492509e3516542651ecbe8f69fe1c;hpb=aa398f56fa398f2202b04e82c67f822f3233786f;p=musl

diff --git a/src/ipc/semget.c b/src/ipc/semget.c
index 530c75ff..c4a559db 100644
--- a/src/ipc/semget.c
+++ b/src/ipc/semget.c
@@ -1,10 +1,17 @@
 #include <sys/sem.h>
+#include <limits.h>
+#include <errno.h>
 #include "syscall.h"
 #include "ipc.h"
 
 int semget(key_t key, int n, int fl)
 {
-#ifdef __NR_semget
+	/* The kernel uses the wrong type for the sem_nsems member
+	 * of struct semid_ds, and thus might not check that the
+	 * n fits in the correct (per POSIX) userspace type, so
+	 * we have to check here. */
+	if (n > USHRT_MAX) return __syscall_ret(-EINVAL);
+#ifdef SYS_semget
 	return syscall(SYS_semget, key, n, fl);
 #else
 	return syscall(SYS_ipc, IPCOP_semget, key, n, fl);