kern/vfs_lockf.c: Parenthesize to make arithmetic match check.

We verified start + (fl->fl_len - 1) would not overflow, but then computed (start + fl->fl_len) - 1 instead, and it is possible for start + fl->fl_len to overflow before we subtract 1. Reported-by: syzbot+762480b00cb14085f63a@syzkaller.appspotmail.com https://syzkaller.appspot.com/bug?id=d69313b2460a12715315f9f5f74fbe44b8bc38ba
2022-11-25 16:15:39 +00:00 · 2022-11-25 16:15:39 +00:00 · 1a4aa843e5
parent 987ac1a246
commit 1a4aa843e5
1 changed files with 3 additions and 3 deletions
--- a/sys/kern/vfs_lockf.c
+++ b/sys/kern/vfs_lockf.c
@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_lockf.c,v 1.77 2022/08/03 11:09:13 riastradh Exp $	*/
+/*	$NetBSD: vfs_lockf.c,v 1.78 2022/11/25 16:15:39 riastradh Exp $	*/

 /*
 * Copyright (c) 1982, 1986, 1989, 1993
@ -35,7 +35,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_lockf.c,v 1.77 2022/08/03 11:09:13 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_lockf.c,v 1.78 2022/11/25 16:15:39 riastradh Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
@ -847,7 +847,7 @@ lf_advlock(struct vop_advlock_args *ap, struct lockf **head, off_t size)
 			if (start >= 0 &&
 			    fl->l_len - 1 > __type_max(off_t) - start)
 				return EINVAL;
-			end = start + fl->l_len - 1;
+			end = start + (fl->l_len - 1);
 		} else {
 			/* lockf() allows -ve lengths */
 			if (start < 0)