!1197 整数溢出漏洞修复

Merge pull request !1197 from hw_llm/master

compat/posix/src/mqueue.c

@@ -270,6 +270,7 @@ STATIC INT32 DoMqueueClose(struct mqpersonal *privateMqPersonal)
 {
     struct mqarray *mqueueCB = NULL;
     struct mqpersonal *tmp = NULL;
+    INT32 ret;
 
     mqueueCB = privateMqPersonal->mq_posixdes;
     if (mqueueCB == NULL || mqueueCB->mq_personal == NULL) {
@@ -277,6 +278,12 @@ STATIC INT32 DoMqueueClose(struct mqpersonal *privateMqPersonal)
         return LOS_NOK;
     }
 
+    if ((mqueueCB->unlinkflag == TRUE) && (privateMqPersonal->mq_next == NULL)) {
+        ret = DoMqueueDelete(mqueueCB);
+        if (ret < 0) {
+            return ret;
+        }
+    }
     /* find the personal and remove */
     if (mqueueCB->mq_personal == privateMqPersonal) {
         mqueueCB->mq_personal = privateMqPersonal->mq_next;
@@ -298,9 +305,6 @@ STATIC INT32 DoMqueueClose(struct mqpersonal *privateMqPersonal)
     /* free the personal */
     (VOID)LOS_MemFree(OS_SYS_MEM_ADDR, privateMqPersonal);
 
-    if ((mqueueCB->unlinkflag == TRUE) && (mqueueCB->mq_personal == NULL)) {
-        return DoMqueueDelete(mqueueCB);
-    }
     return LOS_OK;
 }
 

syscall/net_syscall.c

@@ -401,7 +401,7 @@ ssize_t SysSendMsg(int s, const struct msghdr *message, int flags)
     CHECK_ASPACE(message, sizeof(struct msghdr));
     CPY_FROM_CONST_USER(struct msghdr, message);
 
-    if (message && message->msg_iovlen > IOV_MAX) {
+    if (message && (size_t)message->msg_iovlen > IOV_MAX) {
         set_errno(EMSGSIZE);
         return -get_errno();
     }
@@ -449,7 +449,7 @@ ssize_t SysRecvMsg(int s, struct msghdr *message, int flags)
     CHECK_ASPACE(message, sizeof(struct msghdr));
     CPY_FROM_NONCONST_USER(message);
 
-    if (message && message->msg_iovlen > IOV_MAX) {
+    if (message && (size_t)message->msg_iovlen > IOV_MAX) {
         set_errno(EMSGSIZE);
         return -get_errno();
     }