summaryrefslogtreecommitdiffstats
path: root/sandbox/linux/seccomp
diff options
context:
space:
mode:
Diffstat (limited to 'sandbox/linux/seccomp')
-rw-r--r--sandbox/linux/seccomp/library.cc2
-rw-r--r--sandbox/linux/seccomp/library.h2
-rw-r--r--sandbox/linux/seccomp/sandbox_impl.h2
-rw-r--r--sandbox/linux/seccomp/socketcall.cc8
4 files changed, 6 insertions, 8 deletions
diff --git a/sandbox/linux/seccomp/library.cc b/sandbox/linux/seccomp/library.cc
index 1b06bc1..768b00a 100644
--- a/sandbox/linux/seccomp/library.cc
+++ b/sandbox/linux/seccomp/library.cc
@@ -318,7 +318,7 @@ const Elf_Shdr* Library::getSection(const string& section) {
return &iter->second.second;
}
-const int Library::getSectionIndex(const string& section) {
+int Library::getSectionIndex(const string& section) {
if (!valid_) {
return -1;
}
diff --git a/sandbox/linux/seccomp/library.h b/sandbox/linux/seccomp/library.h
index 96ec581..e27bfde 100644
--- a/sandbox/linux/seccomp/library.h
+++ b/sandbox/linux/seccomp/library.h
@@ -126,7 +126,7 @@ class Library {
bool parseElf();
const Elf_Ehdr* getEhdr();
const Elf_Shdr* getSection(const string& section);
- const int getSectionIndex(const string& section);
+ int getSectionIndex(const string& section);
void makeWritable(bool state) const;
void patchSystemCalls();
bool isVDSO() const { return isVDSO_; }
diff --git a/sandbox/linux/seccomp/sandbox_impl.h b/sandbox/linux/seccomp/sandbox_impl.h
index 0a98283..18a359c 100644
--- a/sandbox/linux/seccomp/sandbox_impl.h
+++ b/sandbox/linux/seccomp/sandbox_impl.h
@@ -268,7 +268,7 @@ class Sandbox {
// Wrapper around "read()" that can deal with partial and interrupted reads
// and that does not modify the global errno variable.
static ssize_t read(SysCalls& sys, int fd, void* buf, size_t len) {
- if (len < 0) {
+ if (static_cast<ssize_t>(len) < 0) {
sys.my_errno = EINVAL;
return -1;
}
diff --git a/sandbox/linux/seccomp/socketcall.cc b/sandbox/linux/seccomp/socketcall.cc
index 43116bb..497e5e2 100644
--- a/sandbox/linux/seccomp/socketcall.cc
+++ b/sandbox/linux/seccomp/socketcall.cc
@@ -288,8 +288,7 @@ bool Sandbox::process_sendmsg(int parentMapsFd, int sandboxFd, int threadFdPub,
die("Failed to read parameters for sendmsg() [process]");
}
- if (data.msg.msg_namelen < 0 || data.msg.msg_namelen > 4096 ||
- data.msg.msg_controllen < 0 || data.msg.msg_controllen > 4096) {
+ if (data.msg.msg_namelen > 4096 || data.msg.msg_controllen > 4096) {
die("Unexpected size for socketcall() payload [process]");
}
char extra[data.msg.msg_namelen + data.msg.msg_controllen];
@@ -767,7 +766,7 @@ bool Sandbox::process_socketcall(int parentMapsFd, int sandboxFd,
// Verify that the length for the payload is reasonable. We don't want to
// blow up our stack, and excessive (or negative) buffer sizes are almost
// certainly a bug.
- if (numExtraData < 0 || numExtraData > 4096) {
+ if (numExtraData > 4096) {
die("Unexpected size for socketcall() payload [process]");
}
@@ -783,8 +782,7 @@ bool Sandbox::process_socketcall(int parentMapsFd, int sandboxFd,
ssize_t numSendmsgExtra = 0;
if (socketcall_req.call == SYS_SENDMSG) {
struct msghdr* msg = reinterpret_cast<struct msghdr*>(extra);
- if (msg->msg_namelen < 0 || msg->msg_namelen > 4096 ||
- msg->msg_controllen < 0 || msg->msg_controllen > 4096) {
+ if (msg->msg_namelen > 4096 || msg->msg_controllen > 4096) {
die("Unexpected size for socketcall() payload [process]");
}
numSendmsgExtra = msg->msg_namelen + msg->msg_controllen;
generated by cgit v1.1 at 2025-01-22 07:56:36 +0000