From owner-svn-src-all@freebsd.org  Mon Oct  9 16:19:28 2017
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0FD8EE35320;
 Mon,  9 Oct 2017 16:19:28 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A6CE0645EE;
 Mon,  9 Oct 2017 16:19:27 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v99GJQEB059504;
 Mon, 9 Oct 2017 16:19:26 GMT (envelope-from kib@FreeBSD.org)
Received: (from kib@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v99GJQPs059503;
 Mon, 9 Oct 2017 16:19:26 GMT (envelope-from kib@FreeBSD.org)
Message-Id: <201710091619.v99GJQPs059503@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org
 using -f
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Mon, 9 Oct 2017 16:19:26 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r324438 - head/sys/i386/i386
X-SVN-Group: head
X-SVN-Commit-Author: kib
X-SVN-Commit-Paths: head/sys/i386/i386
X-SVN-Commit-Revision: 324438
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 16:19:28 -0000

Author: kib
Date: Mon Oct  9 16:19:26 2017
New Revision: 324438
URL: https://svnweb.freebsd.org/changeset/base/324438

Log:
  Change i386_get_ldt() to return 'EOF' when the requested range of
  descriptors does not fit into currently allocated LDT, or trim the
  return if the range fits partially.  Before, the function returned
  EINVAL.
  
  Fix two bugs in r324366: use capped num counter for malloc size, and
  do not leak allocated buffer on EINVAL (by handling EINVAL case as
  normal, see above).
  
  Reviewed by:	bde
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week

Modified:
  head/sys/i386/i386/sys_machdep.c

Modified: head/sys/i386/i386/sys_machdep.c
==============================================================================
--- head/sys/i386/i386/sys_machdep.c	Mon Oct  9 16:07:27 2017	(r324437)
+++ head/sys/i386/i386/sys_machdep.c	Mon Oct  9 16:19:26 2017	(r324438)
@@ -534,23 +534,20 @@ i386_get_ldt(struct thread *td, struct i386_ldt_args *
 	    uap->start, uap->num, (void *)uap->descs);
 #endif
 
-	if (uap->start >= MAX_LD)
-		return (EINVAL);
-	num = min(uap->num, MAX_LD - uap->start);
-	data = malloc(uap->num * sizeof(union descriptor), M_TEMP, M_WAITOK);
+	num = min(uap->num, MAX_LD);
+	data = malloc(num * sizeof(union descriptor), M_TEMP, M_WAITOK);
 	mtx_lock_spin(&dt_lock);
 	pldt = td->td_proc->p_md.md_ldt;
 	nldt = pldt != NULL ? pldt->ldt_len : nitems(ldt);
-	num = min(num, nldt);
-	if (uap->start > nldt || uap->start + num > nldt) {
-		mtx_unlock_spin(&dt_lock);
-		return (EINVAL);
+	if (uap->start >= nldt) {
+		num = 0;
+	} else {
+		num = min(num, nldt - uap->start);
+		bcopy(pldt != NULL ?
+		    &((union descriptor *)(pldt->ldt_base))[uap->start] :
+		    &ldt[uap->start], data, num * sizeof(union descriptor));
 	}
-	bcopy(pldt != NULL ?
-	    &((union descriptor *)(pldt->ldt_base))[uap->start] :
-	    &ldt[uap->start], data, num * sizeof(union descriptor));
 	mtx_unlock_spin(&dt_lock);
-
 	error = copyout(data, uap->descs, num * sizeof(union descriptor));
 	if (error == 0)
 		td->td_retval[0] = num;