d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Redo r258088 to avoid relying on signed arithmetic overflow, since

Browse Source 
compiler interprets this as an undefined behaviour.  Instead, ensure
that the sum of uio_offset and uio_resid is below OFF_MAX using the
operation which cannot overflow.

Reported and tested by:	pho
Discussed with:	bde
Approved by:	des (pseudofs maintainer)
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
This commit is contained in:
Konstantin Belousov 2013-11-20 19:41:00 +00:00
parent c9b53336b8
commit 587430f254
1 changed files with 4 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sys/fs/pseudofs/pseudofs_vnops.c
View File

@ -616,8 +616,7 @@ pfs_read(struct vop_read_args *va)
struct proc *proc;
struct sbuf *sb = NULL;
int error, locked;
off_t offset;
ssize_t buflen, resid;
off_t buflen;
PFS_TRACE(("%s", pn->pn_name));
pfs_assert_not_owned(pn);
@ -654,16 +653,12 @@ pfs_read(struct vop_read_args *va)
goto ret;
}
resid = uio->uio_resid;
offset = uio->uio_offset;
buflen = offset + resid;
/* beaucoup sanity checks so we don't ask for bogus allocation */
if (resid < 0 || buflen < offset || buflen < resid ||
buflen >= INT_MAX) {
if (uio->uio_resid < 0 || uio->uio_offset < 0 ||
uio->uio_resid > OFF_MAX - uio->uio_offset) {
error = EINVAL;
goto ret;
}
buflen = uio->uio_offset + uio->uio_resid;
if (buflen > MAXPHYS)
buflen = MAXPHYS;