X-Git-Url: http://nsz.repo.hu/git/?p=musl;a=blobdiff_plain;f=src%2Fipc%2Fsemget.c;h=c4a559db1b0ec1316dc2fa9bc47a538ea552d94a;hp=5f110e3b18bb8e4ecad4f5ef3e68168c438818a6;hb=062f40ef3e56021f4a9902095867e35cce6d99c4;hpb=553d566c3f7080cf1f339eebf715db7e5d0b0d76

diff --git a/src/ipc/semget.c b/src/ipc/semget.c
index 5f110e3b..c4a559db 100644
--- a/src/ipc/semget.c
+++ b/src/ipc/semget.c
@@ -1,9 +1,16 @@
 #include <sys/sem.h>
+#include <limits.h>
+#include <errno.h>
 #include "syscall.h"
 #include "ipc.h"
 
 int semget(key_t key, int n, int fl)
 {
+	/* The kernel uses the wrong type for the sem_nsems member
+	 * of struct semid_ds, and thus might not check that the
+	 * n fits in the correct (per POSIX) userspace type, so
+	 * we have to check here. */
+	if (n > USHRT_MAX) return __syscall_ret(-EINVAL);
 #ifdef SYS_semget
 	return syscall(SYS_semget, key, n, fl);
 #else