X-Git-Url: http://git.lttng.org/?a=blobdiff_plain;f=libringbuffer%2Fshm.h;h=5785b71d8483d26c3684bdd8875c70aa13f00ca2;hb=381c0f1ef474e0ae8a96b3753470ca4bda45c764;hp=f5cc8e69a2b7a62faf9f614dec2489f99ccee96d;hpb=4746ae29409b78e96543a3b207c91a3c510c6476;p=lttng-ust.git

diff --git a/libringbuffer/shm.h b/libringbuffer/shm.h
index f5cc8e69..5785b71d 100644
--- a/libringbuffer/shm.h
+++ b/libringbuffer/shm.h
@@ -17,29 +17,35 @@
 /*
  * Pointer dereferencing. We don't trust the shm_ref, so we validate
  * both the index and offset with known boundaries.
+ *
+ * "shmp" and "shmp_index" guarantee that it's safe to use the pointer
+ * target type, even in the occurrence of shm_ref modification by an
+ * untrusted process having write access to the shm_ref. We return a
+ * NULL pointer if the ranges are invalid.
  */
 static inline
 char *_shmp_offset(struct shm_object_table *table, struct shm_ref *ref,
-		   size_t offset)
+		   size_t idx, size_t elem_size)
 {
 	struct shm_object *obj;
-	size_t index, ref_offset;
+	size_t objindex, ref_offset;
 
-	index = (size_t) ref->index;
-	if (unlikely(index >= table->allocated_len))
+	objindex = (size_t) ref->index;
+	if (unlikely(objindex >= table->allocated_len))
 		return NULL;
-	obj = &table->objects[index];
+	obj = &table->objects[objindex];
 	ref_offset = (size_t) ref->offset;
-	ref_offset += offset;
-	if (unlikely(ref_offset >= obj->memory_map_size))
+	ref_offset += idx * elem_size;
+	/* Check if part of the element returned would exceed the limits. */
+	if (unlikely(ref_offset + elem_size > obj->memory_map_size))
 		return NULL;
 	return &obj->memory_map[ref_offset];
 }
 
-#define shmp_index(handle, ref, offset)					\
+#define shmp_index(handle, ref, index)					\
 	({								\
 		__typeof__((ref)._type) ____ptr_ret;			\
-		____ptr_ret = (__typeof__(____ptr_ret)) _shmp_offset((handle)->table, &(ref)._ref, ((offset) * sizeof(*____ptr_ret)));	\
+		____ptr_ret = (__typeof__(____ptr_ret)) _shmp_offset((handle)->table, &(ref)._ref, index, sizeof(*____ptr_ret));	\
 		____ptr_ret;						\
 	})
 
@@ -97,4 +103,22 @@ int shm_get_wait_fd(struct shm_handle *handle, struct shm_ref *ref)
 	return obj->wait_fd[0];
 }
 
+static inline
+int shm_get_object_data(struct shm_handle *handle, struct shm_ref *ref,
+		int *shm_fd, int *wait_fd, uint64_t *memory_map_size)
+{
+	struct shm_object_table *table = handle->table;
+	struct shm_object *obj;
+	size_t index;
+
+	index = (size_t) ref->index;
+	if (unlikely(index >= table->allocated_len))
+		return -EPERM;
+	obj = &table->objects[index];
+	*shm_fd = obj->shm_fd;
+	*wait_fd = obj->wait_fd[0];
+	*memory_map_size = obj->memory_map_size;
+	return 0;
+}
+
 #endif /* _LIBRINGBUFFER_SHM_H */