Synopsis: Insufficient checking of lengths passed from userland to kernel NetBSD versions: -current (post 1.5, pre 2001-08-04) Thanks to: Jaromir Dolecek Reported in NetBSD Security Advisory: NetBSD-SA2001-015 Index: arch/amiga/dev/grf_cl.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/amiga/dev/grf_cl.c,v retrieving revision 1.25 retrieving revision 1.26 diff -u -p -r1.25 -r1.26 --- grf_cl.c 1999/06/29 19:51:28 1.25 +++ grf_cl.c 2001/08/05 18:07:52 1.26 @@ -905,7 +905,7 @@ cl_setspriteinfo(gp, data) if (data->set & GRFSPRSET_SHAPE) { - short dsx, dsy, i; + unsigned short dsx, dsy, i; unsigned long *di, *dm, *si, *sm; unsigned long ssi[128], ssm[128]; struct grf_position gpos; Index: arch/amiga/dev/grfioctl.h =================================================================== RCS file: /cvsroot/syssrc/sys/arch/amiga/dev/grfioctl.h,v retrieving revision 1.13 retrieving revision 1.14 diff -u -p -r1.13 -r1.14 --- grfioctl.h 1997/07/29 17:54:11 1.13 +++ grfioctl.h 2001/08/05 18:07:51 1.14 @@ -147,8 +147,8 @@ struct grfvideo_mode { * Maxium value of "index" can be deduced from grfinfo->gd_colors. */ struct grf_colormap { - int index; /* start at red[index],green[index],blue[index] */ - int count; /* till < red[index+count],... */ + unsigned int index; /* start at red[index],green[index],blue[index] */ + unsigned int count; /* till < red[index+count],... */ u_char *red; u_char *green; u_char *blue; Index: arch/arm32/vidc/vidcvideo.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/arm32/vidc/vidcvideo.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -p -r1.7 -r1.8 --- vidcvideo.c 2001/04/14 02:25:43 1.7 +++ vidcvideo.c 2001/08/05 18:07:52 1.8 @@ -773,7 +773,7 @@ set_cursor(sc, p) struct wsdisplay_cursor *p; { #define cc (&sc->sc_cursor) - int v, index, count, icount; + u_int v, index, count, icount; v = p->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { Index: arch/hpcmips/dev/plumvideo.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/hpcmips/dev/plumvideo.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -p -r1.19 -r1.20 --- plumvideo.c 2001/07/22 09:56:41 1.19 +++ plumvideo.c 2001/08/05 18:07:52 1.20 @@ -417,7 +417,8 @@ plumvideo_ioctl(void *v, u_long cmd, cad struct wsdisplay_cmap *cmap; u_int8_t *r, *g, *b; u_int32_t *rgb; - int idx, cnt, error; + int idx, error; + size_t cnt; switch (cmd) { case WSDISPLAYIO_GETCMAP: Index: arch/hpcsh/dev/hd64461/hd64461video.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/hpcsh/dev/hd64461/hd64461video.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -p -r1.3 -r1.4 --- hd64461video.c 2001/07/22 09:56:40 1.3 +++ hd64461video.c 2001/08/05 18:07:54 1.4 @@ -410,7 +410,8 @@ hd64461video_ioctl(void *v, u_long cmd, struct hpcfb_dspconf *dspconf; struct wsdisplay_cmap *cmap; u_int8_t *r, *g, *b; - int idx, cnt, error; + int error; + size_t idx, cnt; switch (cmd) { case WSDISPLAYIO_GETCMAP: Index: arch/macppc/dev/ofb.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/macppc/dev/ofb.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -p -r1.24 -r1.25 --- ofb.c 2001/07/22 11:29:47 1.24 +++ ofb.c 2001/08/05 18:07:53 1.25 @@ -536,8 +536,8 @@ ofb_putcmap(sc, cm) struct wsdisplay_cmap *cm; { struct ofb_devconfig *dc = sc->sc_dc; - int index = cm->index; - int count = cm->count; + u_int index = cm->index; + u_int count = cm->count; int i; u_char *r, *g, *b; Index: arch/sparc/dev/cgtwo.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/sparc/dev/cgtwo.c,v retrieving revision 1.34 retrieving revision 1.35 diff -u -p -r1.34 -r1.35 --- cgtwo.c 2000/08/22 21:28:35 1.34 +++ cgtwo.c 2001/08/05 18:07:53 1.35 @@ -363,7 +363,8 @@ cgtwoputcmap(sc, cmap) register struct fbcmap *cmap; { u_char red[CG2_CMSIZE], green[CG2_CMSIZE], blue[CG2_CMSIZE]; - int error, start, count, ecount; + int error; + u_int start, count, ecount; register u_int i; register volatile u_short *p; Index: arch/sun3/dev/cg2.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/sun3/dev/cg2.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -p -r1.13 -r1.14 --- cg2.c 2000/06/29 07:18:58 1.13 +++ cg2.c 2001/08/05 18:07:53 1.14 @@ -352,7 +352,8 @@ static int cg2putcmap(fb, data) struct fbcmap *cmap = data; struct cg2_softc *sc = fb->fb_private; u_char red[CMSIZE], green[CMSIZE], blue[CMSIZE]; - int error, start, count, ecount; + int error; + u_int start, count, ecount; register u_int i; register u_short *p; Index: dev/pci/tga.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/pci/tga.c,v retrieving revision 1.34 retrieving revision 1.35 diff -u -p -r1.34 -r1.35 --- tga.c 2001/07/16 00:55:16 1.34 +++ tga.c 2001/08/05 18:07:54 1.35 @@ -817,7 +817,8 @@ tga_builtin_set_cursor(dc, cursorp) { struct ramdac_funcs *dcrf = dc->dc_ramdac_funcs; struct ramdac_cookie *dcrc = dc->dc_ramdac_cookie; - int count, error, v; + u_int count, v; + int error; v = cursorp->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { Index: dev/sun/fbio.h =================================================================== RCS file: /cvsroot/syssrc/sys/dev/sun/fbio.h,v retrieving revision 1.1 retrieving revision 1.2 diff -u -p -r1.1 -r1.2 --- fbio.h 2000/08/20 14:00:43 1.1 +++ fbio.h 2001/08/05 18:07:53 1.2 @@ -107,8 +107,8 @@ struct fbinfo { * Color map I/O. */ struct fbcmap { - int index; /* first element (0 origin) */ - int count; /* number of elements */ + u_int index; /* first element (0 origin) */ + u_int count; /* number of elements */ u_char *red; /* red color map elements */ u_char *green; /* green color map elements */ u_char *blue; /* blue color map elements */ Index: dev/tc/cfb.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/tc/cfb.c,v retrieving revision 1.27 retrieving revision 1.28 diff -u -p -r1.27 -r1.28 --- cfb.c 2001/04/20 11:53:06 1.27 +++ cfb.c 2001/08/05 18:07:54 1.28 @@ -722,7 +722,7 @@ set_cursor(sc, p) struct wsdisplay_cursor *p; { #define cc (&sc->sc_cursor) - int v, index, count, icount; + u_int v, index, count, icount; v = p->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { Index: dev/tc/mfb.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/tc/mfb.c,v retrieving revision 1.26 retrieving revision 1.27 diff -u -p -r1.26 -r1.27 --- mfb.c 2001/01/16 05:32:16 1.26 +++ mfb.c 2001/08/05 18:07:54 1.27 @@ -32,7 +32,7 @@ #include /* RCS ID & Copyright macro defns */ -__KERNEL_RCSID(0, "$NetBSD: SA2001-015-kernlen-current.patch,v 1.1 2001/08/23 21:02:14 jdolecek Exp $"); +__KERNEL_RCSID(0, "$NetBSD: SA2001-015-kernlen-current.patch,v 1.1 2001/08/23 21:02:14 jdolecek Exp $"); #include #include @@ -634,7 +634,7 @@ set_cursor(sc, p) struct wsdisplay_cursor *p; { #define cc (&sc->sc_cursor) - int v, count, index; + u_int v, count, index; v = p->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { Index: dev/tc/sfb.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/tc/sfb.c,v retrieving revision 1.45 retrieving revision 1.46 diff -u -p -r1.45 -r1.46 --- sfb.c 2001/04/20 11:53:06 1.45 +++ sfb.c 2001/08/05 18:07:54 1.46 @@ -758,7 +758,7 @@ set_cursor(sc, p) struct wsdisplay_cursor *p; { #define cc (&sc->sc_cursor) - int v, index, count, icount; + u_int v, index, count, icount; v = p->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { Index: dev/tc/sfbplus.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/tc/sfbplus.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -p -r1.9 -r1.10 --- sfbplus.c 2001/02/27 02:11:36 1.9 +++ sfbplus.c 2001/08/05 18:07:55 1.10 @@ -782,7 +782,7 @@ set_cursor(sc, p) struct wsdisplay_cursor *p; { #define cc (&sc->sc_cursor) - int v, index, count, icount; + u_int v, index, count, icount; v = p->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { Index: dev/tc/stic.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/tc/stic.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -p -r1.8 -r1.9 --- stic.c 2001/03/04 13:32:25 1.8 +++ stic.c 2001/08/05 18:07:55 1.9 @@ -1290,7 +1290,7 @@ static int stic_set_cursor(struct stic_info *si, struct wsdisplay_cursor *p) { #define cc (&si->si_cursor) - int v, index, count, icount; + u_int v, index, count, icount; struct stic_screen *ss; v = p->which; Index: dev/tc/tfb.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/tc/tfb.c,v retrieving revision 1.29 retrieving revision 1.30 diff -u -p -r1.29 -r1.30 --- tfb.c 2001/01/16 05:32:16 1.29 +++ tfb.c 2001/08/05 18:07:55 1.30 @@ -803,7 +803,7 @@ set_cursor(sc, p) struct wsdisplay_cursor *p; { #define cc (&sc->sc_cursor) - int v, index, count, icount; + u_int v, index, count, icount; v = p->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { Index: dev/tc/xcfb.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/tc/xcfb.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -p -r1.22 -r1.23 --- xcfb.c 2001/04/09 16:10:06 1.22 +++ xcfb.c 2001/08/05 18:07:55 1.23 @@ -605,7 +605,7 @@ set_cursor(sc, p) struct wsdisplay_cursor *p; { #define cc (&sc->sc_cursor) - int v, index, count; + u_int v, index, count; v = p->which; if (v & WSDISPLAY_CURSOR_DOCMAP) { Index: net/if_ppp.c =================================================================== RCS file: /cvsroot/syssrc/sys/net/if_ppp.c,v retrieving revision 1.70 retrieving revision 1.71 diff -u -p -r1.70 -r1.71 --- if_ppp.c 2001/07/18 16:43:09 1.70 +++ if_ppp.c 2001/08/05 18:07:55 1.71 @@ -380,7 +380,8 @@ pppioctl(sc, cmd, data, flag, p) int flag; struct proc *p; { - int s, error, flags, mru, nb, npx; + int s, error, flags, mru, npx; + u_int nb; struct ppp_option_data *odp; struct compressor **cp; struct npioctl *npi; Index: coda/coda_venus.c =================================================================== RCS file: /cvsroot/syssrc/sys/coda/coda_venus.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -p -r1.8 -r1.9 --- coda_venus.c 2001/07/18 16:12:31 1.8 +++ coda_venus.c 2001/08/05 11:22:33 1.9 @@ -265,6 +265,9 @@ venus_ioctl(void *mdp, ViceFid *fid, inp->cmd = (com & ~(IOCPARM_MASK << 16)); tmp = ((com >> 16) & IOCPARM_MASK) - sizeof (char *) - sizeof (int); inp->cmd |= (tmp & IOCPARM_MASK) << 16; + + if (iap->vi.in_size < 0 || iap->vi.in_size > VC_MAXMSGSIZE) + return (EINVAL); inp->rwflag = flag; inp->len = iap->vi.in_size; Index: dev/ic/mlx.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/ic/mlx.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -p -r1.12 -r1.13 --- mlx.c 2001/07/26 12:38:03 1.12 +++ mlx.c 2001/08/05 11:11:33 1.13 @@ -1740,6 +1740,9 @@ mlx_user_command(struct mlx_softc *mlx, * its initial contents. */ if (mu->mu_datasize > 0) { + if (mu->mu_datasize > MAXPHYS) + return (EINVAL); + kbuf = malloc(mu->mu_datasize, M_DEVBUF, M_WAITOK); if (kbuf == NULL) { DPRINTF(("mlx_user_command: malloc = NULL\n")); Index: dev/wscons/wsdisplay.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/wscons/wsdisplay.c,v retrieving revision 1.51 retrieving revision 1.52 diff -u -p -r1.51 -r1.52 --- wsdisplay.c 2001/05/18 11:49:21 1.51 +++ wsdisplay.c 2001/08/05 11:26:52 1.52 @@ -1046,6 +1046,7 @@ wsdisplay_cfg_ioctl(sc, cmd, data, flag, int error; char *type, typebuf[16], *emul, emulbuf[16]; void *buf; + u_int fontsz; #if defined(COMPAT_14) && NWSKBD > 0 struct wsmux_device wsmuxdata; #endif @@ -1088,10 +1089,12 @@ wsdisplay_cfg_ioctl(sc, cmd, data, flag, d->name = typebuf; } else d->name = "loaded"; /* ??? */ - buf = malloc(d->fontheight * d->stride * d->numchars, - M_DEVBUF, M_WAITOK); - error = copyin(d->data, buf, - d->fontheight * d->stride * d->numchars); + fontsz = d->fontheight * d->stride * d->numchars; + if (fontsz > WSDISPLAY_MAXFONTSZ) + return (EINVAL); + + buf = malloc(fontsz, M_DEVBUF, M_WAITOK); + error = copyin(d->data, buf, fontsz); if (error) { free(buf, M_DEVBUF); return (error); Index: dev/wscons/wskbd.c =================================================================== RCS file: /cvsroot/syssrc/sys/dev/wscons/wskbd.c,v retrieving revision 1.41 retrieving revision 1.42 diff -u -p -r1.41 -r1.42 --- wskbd.c 2001/05/30 15:24:25 1.41 +++ wskbd.c 2001/08/05 11:26:52 1.42 @@ -970,6 +970,9 @@ getkeyrepeat: if ((flag & FWRITE) == 0) return (EACCES); umdp = (struct wskbd_map_data *)data; + if (umdp->maplen > WSKBDIO_MAXMAPLEN) + return (EINVAL); + len = umdp->maplen*sizeof(struct wscons_keymap); buf = malloc(len, M_TEMP, M_WAITOK); error = copyin(umdp->map, buf, len); Index: dev/wscons/wsconsio.h =================================================================== RCS file: /cvsroot/syssrc/sys/dev/wscons/wsconsio.h,v retrieving revision 1.39 retrieving revision 1.40 diff -u -p -r1.39 -r1.40 --- wsconsio.h 2001/03/30 13:06:45 1.39 +++ wsconsio.h 2001/08/05 11:26:52 1.40 @@ -136,6 +136,7 @@ struct wskbd_keyrepeat_data { /* Manipulate keysym groups. */ struct wskbd_map_data { u_int maplen; /* number of entries in map */ +#define WSKBDIO_MAXMAPLEN 65536 struct wscons_keymap *map; /* map to get or set */ }; #define WSKBDIO_GETMAP _IOWR('W', 13, struct wskbd_map_data) @@ -305,7 +306,8 @@ struct wsdisplay_font { #define WSDISPLAY_FONTENC_IBM 1 #define WSDISPLAY_FONTENC_PCVT 2 #define WSDISPLAY_FONTENC_ISO7 3 /* greek */ - int fontwidth, fontheight, stride; + u_int fontwidth, fontheight, stride; +#define WSDISPLAY_MAXFONTSZ (512*1024) int bitorder, byteorder; #define WSDISPLAY_FONTORDER_KNOWN 0 /* i.e, no need to convert */ #define WSDISPLAY_FONTORDER_L2R 1 Index: dev/ccdvar.h =================================================================== RCS file: /cvsroot/syssrc/sys/dev/ccdvar.h,v retrieving revision 1.19 retrieving revision 1.20 diff -u -p -r1.19 -r1.20 --- ccdvar.h 1999/08/11 02:44:35 1.19 +++ ccdvar.h 2001/08/05 11:20:14 1.20 @@ -95,7 +95,7 @@ */ struct ccd_ioctl { char **ccio_disks; /* pointer to component paths */ - int ccio_ndisks; /* number of disks to concatenate */ + u_int ccio_ndisks; /* number of disks to concatenate */ int ccio_ileave; /* interleave (DEV_BSIZE blocks) */ int ccio_flags; /* see sc_flags below */ int ccio_unit; /* unit number: use varies */ @@ -166,7 +166,8 @@ struct ccd_softc { int sc_flags; /* flags */ size_t sc_size; /* size of ccd */ int sc_ileave; /* interleave */ - int sc_nccdisks; /* number of components */ + u_int sc_nccdisks; /* number of components */ +#define CCD_MAXNDISKS 65536 struct ccdcinfo *sc_cinfo; /* component info */ struct ccdiinfo *sc_itable; /* interleave table */ struct ccdgeom sc_geom; /* pseudo geometry info */ Index: netisdn/i4b_i4bdrv.c =================================================================== RCS file: /cvsroot/syssrc/sys/netisdn/i4b_i4bdrv.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -p -r1.4 -r1.5 --- i4b_i4bdrv.c 2001/04/21 07:23:41 1.4 +++ i4b_i4bdrv.c 2001/08/05 11:16:56 1.5 @@ -834,6 +834,12 @@ download_done: if(req.in_param_len) { + /* XXX arbitrary limit */ + if (req.in_param_len > I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN) { + error = EINVAL; + goto diag_done; + } + req.in_param = malloc(r->in_param_len, M_DEVBUF, M_WAITOK); if(!req.in_param) Index: netisdn/i4b_ioctl.h =================================================================== RCS file: /cvsroot/syssrc/sys/netisdn/i4b_ioctl.h,v retrieving revision 1.1 retrieving revision 1.2 diff -u -p -r1.1 -r1.2 --- i4b_ioctl.h 2001/01/05 12:49:56 1.1 +++ i4b_ioctl.h 2001/08/05 11:16:56 1.2 @@ -688,6 +688,7 @@ struct isdn_diagnostic_request { int controller; /* controller number */ u_int32_t cmd; /* diagnostic command to execute */ size_t in_param_len; /* length of additional input parameter */ +#define I4B_ACTIVE_DIAGNOSTIC_MAXPARAMLEN 65536 void *in_param; /* optional input parameter */ size_t out_param_len; /* available output space */ void *out_param; /* output data goes here */ Index: miscfs/umapfs/umap_vfsops.c =================================================================== RCS file: /cvsroot/syssrc/sys/miscfs/umapfs/umap_vfsops.c,v retrieving revision 1.28 retrieving revision 1.30 diff -u -p -r1.28 -r1.30 --- umap_vfsops.c 2001/08/02 22:40:59 1.28 +++ umap_vfsops.c 2001/08/16 15:37:06 1.30 @@ -144,6 +144,11 @@ umapfs_mount(mp, path, data, ndp, p) /* * Now copy in the number of entries and maps for umap mapping. */ + if (args.nentries > MAPFILEENTRIES || args.gnentries > GMAPFILEENTRIES) { + vput(lowerrootvp); + return (error); + } + amp->info_nentries = args.nentries; amp->info_gnentries = args.gnentries; error = copyin(args.mapdata, (caddr_t)amp->info_mapdata, Index: nfs/nfs.h =================================================================== RCS file: /cvsroot/syssrc/sys/nfs/nfs.h,v retrieving revision 1.29 retrieving revision 1.30 diff -u -p -r1.29 -r1.30 --- nfs.h 2001/07/01 02:13:35 1.29 +++ nfs.h 2001/08/03 06:00:14 1.30 @@ -200,9 +200,9 @@ struct nfsd_cargs { char *ncd_dirp; /* Mount dir path */ uid_t ncd_authuid; /* Effective uid */ int ncd_authtype; /* Type of authenticator */ - int ncd_authlen; /* Length of authenticator string */ + u_int ncd_authlen; /* Length of authenticator string */ u_char *ncd_authstr; /* Authenticator string */ - int ncd_verflen; /* and the verifier */ + u_int ncd_verflen; /* and the verifier */ u_char *ncd_verfstr; NFSKERBKEY_T ncd_key; /* Session key */ }; Index: nfs/nfs_vfsops.c =================================================================== RCS file: /cvsroot/syssrc/sys/nfs/nfs_vfsops.c,v retrieving revision 1.104 retrieving revision 1.106 diff -u -p -r1.104 -r1.106 --- nfs_vfsops.c 2001/07/01 02:13:36 1.104 +++ nfs_vfsops.c 2001/07/30 22:51:06 1.106 @@ -585,6 +585,8 @@ nfs_mount(mp, path, data, ndp, p) nfs_decode_args(nmp, &args); return (0); } + if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) + return (EINVAL); error = copyin((caddr_t)args.fh, (caddr_t)nfh, args.fhsize); if (error) return (error); Index: kern/vfs_subr.c =================================================================== RCS file: /cvsroot/syssrc/sys/kern/vfs_subr.c,v retrieving revision 1.155 retrieving revision 1.156 diff -u -p -r1.155 -r1.156 --- vfs_subr.c 2001/07/08 10:32:38 1.155 +++ vfs_subr.c 2001/08/03 06:00:13 1.156 @@ -2093,6 +2093,10 @@ vfs_hang_addrlist(mp, nep, argp) mp->mnt_flag |= MNT_DEFEXPORTED; return (0); } + + if (argp->ex_addrlen > MLEN) + return (EINVAL); + i = sizeof(struct netcred) + argp->ex_addrlen + argp->ex_masklen; np = (struct netcred *)malloc(i, M_NETADDR, M_WAITOK); memset((caddr_t)np, 0, i); Index: kern/sysv_sem.c =================================================================== RCS file: /cvsroot/syssrc/sys/kern/sysv_sem.c,v retrieving revision 1.40 retrieving revision 1.41 diff -u -p -r1.40 -r1.41 --- sysv_sem.c 2000/07/22 16:11:02 1.40 +++ sysv_sem.c 2001/08/03 05:58:18 1.41 @@ -570,7 +570,7 @@ sys_semop(p, v, retval) syscallarg(size_t) nsops; } */ *uap = v; int semid = SCARG(uap, semid); - int nsops = SCARG(uap, nsops); + size_t nsops = SCARG(uap, nsops); struct sembuf sops[MAX_SOPS]; struct semid_ds *semaptr; struct sembuf *sopptr = NULL;