From c6474b07e7b5f0cdc9089c1c4fcfc4fcaa2bcd92 Mon Sep 17 00:00:00 2001
From: Pino Toscano <toscano.pino@tiscali.it>
Date: Thu, 10 May 2012 15:32:53 -0700
Subject: [PATCH] Hurd: _hurd_select: check for invalid parameter values

---
 ChangeLog         |  6 ++++++
 hurd/hurdselect.c | 28 +++++++++++++++++++++-------
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 11fdd81..d244bdb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2012-05-10  Pino Toscano  <toscano.pino@tiscali.it>
+
+	* hurd/hurdselect.c (_hurd_select): Return EINVAL for negative
+	TIMEOUT values.  Return EINVAL for NFDS values either negative or
+	greater than FD_SETSIZE.
+
 2012-05-10  Samuel Thibault  <samuel.thibault@ens-lyon.org>
 
 	* sysdeps/mach/hurd/brk.c (_hurd_set_brk): When more space needs to be
diff --git a/hurd/hurdselect.c b/hurd/hurdselect.c
index 25d9d9f..21ba5f4 100644
--- a/hurd/hurdselect.c
+++ b/hurd/hurdselect.c
@@ -1,6 +1,5 @@
 /* Guts of both `select' and `poll' for Hurd.
-   Copyright (C) 1991,92,93,94,95,96,97,98,99,2001
-   	Free Software Foundation, Inc.
+   Copyright (C) 1991-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -49,10 +48,7 @@ _hurd_select (int nfds,
   error_t err;
   fd_set rfds, wfds, xfds;
   int firstfd, lastfd;
-  mach_msg_timeout_t to = (timeout != NULL ?
-			   (timeout->tv_sec * 1000 +
-			    (timeout->tv_nsec + 999999) / 1000000) :
-			   0);
+  mach_msg_timeout_t to = 0;
   struct
     {
       struct hurd_userlink ulink;
@@ -71,6 +67,24 @@ _hurd_select (int nfds,
   assert (sizeof (union typeword) == sizeof (mach_msg_type_t));
   assert (sizeof (uint32_t) == sizeof (mach_msg_type_t));
 
+  if (nfds < 0 || nfds > FD_SETSIZE)
+    {
+      errno = EINVAL;
+      return -1;
+    }
+
+  if (timeout != NULL)
+    {
+      if (timeout->tv_sec < 0 || timeout->tv_nsec < 0)
+	{
+	  errno = EINVAL;
+	  return -1;
+	}
+
+      to = (timeout->tv_sec * 1000 +
+            (timeout->tv_nsec + 999999) / 1000000);
+    }
+
   if (sigmask && __sigprocmask (SIG_SETMASK, sigmask, &oset))
     return -1;
 
@@ -364,7 +378,7 @@ _hurd_select (int nfds,
 		}
 
 	      /* Look up the respondent's reply port and record its
-                 readiness.  */
+		 readiness.  */
 	      {
 		int had = got;
 		if (firstfd != -1)
-- 
2.7.4