1 /* Bug 28213: test for NULL pointer dereference in mq_notify.
2 Copyright The GNU Toolchain Authors.
3 This file is part of the GNU C Library.
4
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <https://www.gnu.org/licenses/>. */
18
19 #include <errno.h>
20 #include <sys/types.h>
21 #include <sys/stat.h>
22 #include <fcntl.h>
23 #include <unistd.h>
24 #include <mqueue.h>
25 #include <signal.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <support/check.h>
29
30 static mqd_t m = -1;
31 static const char msg[] = "hello";
32
33 static void
check_bz28213_cb(union sigval sv)34 check_bz28213_cb (union sigval sv)
35 {
36 char buf[sizeof (msg)];
37
38 (void) sv;
39
40 TEST_VERIFY_EXIT ((size_t) mq_receive (m, buf, sizeof (buf), NULL)
41 == sizeof (buf));
42 TEST_VERIFY_EXIT (memcmp (buf, msg, sizeof (buf)) == 0);
43
44 exit (0);
45 }
46
47 static void
check_bz28213(void)48 check_bz28213 (void)
49 {
50 struct sigevent sev;
51
52 memset (&sev, '\0', sizeof (sev));
53 sev.sigev_notify = SIGEV_THREAD;
54 sev.sigev_notify_function = check_bz28213_cb;
55
56 /* Step 1: Register & unregister notifier.
57 Helper thread should receive NOTIFY_REMOVED notification.
58 In a vulnerable version of glibc, NULL pointer dereference follows. */
59 TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
60 TEST_VERIFY_EXIT (mq_notify (m, NULL) == 0);
61
62 /* Step 2: Once again, register notification.
63 Try to send one message.
64 Test is considered successful, if the callback does exit (0). */
65 TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
66 TEST_VERIFY_EXIT (mq_send (m, msg, sizeof (msg), 1) == 0);
67
68 /* Wait... */
69 pause ();
70 }
71
72 static int
do_test(void)73 do_test (void)
74 {
75 static const char m_name[] = "/bz28213_queue";
76 struct mq_attr m_attr;
77
78 memset (&m_attr, '\0', sizeof (m_attr));
79 m_attr.mq_maxmsg = 1;
80 m_attr.mq_msgsize = sizeof (msg);
81
82 m = mq_open (m_name,
83 O_RDWR | O_CREAT | O_EXCL,
84 0600,
85 &m_attr);
86
87 if (m < 0)
88 {
89 if (errno == ENOSYS)
90 FAIL_UNSUPPORTED ("POSIX message queues are not implemented\n");
91 FAIL_EXIT1 ("Failed to create POSIX message queue: %m\n");
92 }
93
94 TEST_VERIFY_EXIT (mq_unlink (m_name) == 0);
95
96 check_bz28213 ();
97
98 return 0;
99 }
100
101 #include <support/test-driver.c>
102