fix wrong parameter size on ioctl FIONREAD

On Wed, Sep 23, 2009 at 23:11, Matthias Schwarzott <zzam@gentoo.org> wrote:
> It is about ioctl failures on amd64:
>   http://bugs.gentoo.org/show_bug.cgi?id=286041
>
> A bad parameter type to an ioctl() call causes udev-146 to generate "error
> getting buffer for inotify" messages in syslog.  The offending code is
> roughly:
>
>    ssize_t nbytes, pos;
>    // ...
>    ioctl(fd, FIONREAD, &nbytes);
>
> where ssize_t is 64 bits on amd64, but the kernel code for FIONREAD (at least
> through gentoo-sources-2.6.31) uses type int:
>
>    p = (void __user *) arg;
>    switch (cmd) {
>    case FIONREAD:
>        // ...
>        ret = put_user(send_len, (int __user *) p);
>
> so the upper 32 bits of "nbytes" are left uninitialized, and the subsequent
> malloc(nbytes) fails unless those 32 bits happen to be zero (or the system has
> a LOT of memory).

diff --git a/udev/udevd.c b/udev/udevd.c
index 2eb914a3f335f61952b355328ef9c8fae707b559..62c643668c8be96f7f26a59e90b8819d221ad619 100644 (file)
--- a/udev/udevd.c
+++ b/udev/udevd.c
@@ -662,7 +662,7 @@ static void handle_ctrl_msg(struct udev_ctrl *uctrl)
 /* read inotify messages */
 static int handle_inotify(struct udev *udev)
 {
-       ssize_t nbytes, pos;
+       int nbytes, pos;
        char *buf;
        struct inotify_event *ev;