9fans archive / 1996 / 06 / 1 /     next

From: Amos Shapir amos@cs....
Subject: Bug in sysrendezvous?
Date: Mon, 3 Jun 1996 09:59:36 -0400

The "tag" operand of rendezvous is defined as ulong; but in the
function sysrendezvous (in sysproc.c), it's copied into an int, which
is used as an index in a table by the REND macro.  If I'm mistaken
correctly, this means that if the tag is negative, the resulting
pointer would point *outside* the table!

I guess this bug was not discovered because the tag is usually an
address in user space, but nothing in the manual suggests it has to be
below 0x80000000 (or that it shouldn't be 0xdeadbeef...)

Did anybody else had any trouble with this?

	Amos Shapir		Net: amos@cs....
Paper: The Hebrew Univ. of Jerusalem, Dept. of Comp. Science.
       Givat-Ram, Jerusalem 91904, Israel
GEO: 35 11 46 E / 31 46 21 N