>Number:         23585
>Category:       kern
>Synopsis:       bounds checking error in semctl1 and sys_semop
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 27 23:11:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Jeff Ito
>Release:        1.6ZF
>Organization:
>Environment:
NetBSD netbsd 1.6ZF NetBSD 1.6ZF (LAB) #0: Wed Nov 26 10:15:22 EST 2003
>Description:
A bounds checking error in sysv_sem.c checks semid against seminfo.semmsl and not seminfo.semmni semid.

Taken from FreeBSD (and more recently OpenBSD)
http://www.freebsd.org/cgi/query-pr.cgi?pr=34979
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/sysv_sem.c.diff?r1=1.47&r2=1.48

>How-To-Repeat:
n/a
>Fix:
Index: sysv_sem.c
===================================================================
RCS file: /cvs/nbsd/src/sys/kern/sysv_sem.c,v
retrieving revision 1.48
diff -u -r1.48 sysv_sem.c
--- sysv_sem.c  26 Oct 2003 10:32:24 -0000      1.48
+++ sysv_sem.c  26 Nov 2003 13:33:00 -0000
@@ -363,7 +363,7 @@
            semid, semnum, cmd, v));

        ix = IPCID_TO_IX(semid);
-       if (ix < 0 || ix >= seminfo.semmsl)
+       if (ix < 0 || ix >= seminfo.semmni)
                return (EINVAL);

        semaptr = &sema[ix];
@@ -598,7 +598,7 @@

        semid = IPCID_TO_IX(semid);     /* Convert back to zero origin */

-       if (semid < 0 || semid >= seminfo.semmsl)
+       if (semid < 0 || semid >= seminfo.semmni)
                return(EINVAL);

        semaptr = &sema[semid];

>Release-Note:
>Audit-Trail:
>Unformatted: