Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

readv(2), writev(2): Avoid arithmetic overflow in bounds check.

This commit is contained in:
riastradh 2022-07-10 23:12:12 +00:00
parent c02dc4be55
commit 549cd26c48
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sys/kern/sys_generic.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: sys_generic.c,v 1.133 2021/09/11 10:08:55 riastradh Exp $ */
/* $NetBSD: sys_generic.c,v 1.134 2022/07/10 23:12:12 riastradh Exp $ */
/*-
* Copyright (c) 2007, 2008, 2009 The NetBSD Foundation, Inc.
@ -70,7 +70,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sys_generic.c,v 1.133 2021/09/11 10:08:55 riastradh Exp $");
__KERNEL_RCSID(0, "$NetBSD: sys_generic.c,v 1.134 2022/07/10 23:12:12 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@ -255,7 +255,8 @@ do_filereadv(int fd, const struct iovec *iovp, int iovcnt,
* Therefore we must restrict the length to SSIZE_MAX to
* avoid garbage return values.
*/
if (iov->iov_len > SSIZE_MAX || auio.uio_resid > SSIZE_MAX) {
if (iov->iov_len > SSIZE_MAX ||
auio.uio_resid > SSIZE_MAX - iov->iov_len) {
error = EINVAL;
goto done;
}
@ -456,7 +457,8 @@ do_filewritev(int fd, const struct iovec *iovp, int iovcnt,
* Therefore we must restrict the length to SSIZE_MAX to
* avoid garbage return values.
*/
if (iov->iov_len > SSIZE_MAX || auio.uio_resid > SSIZE_MAX) {
if (iov->iov_len > SSIZE_MAX ||
auio.uio_resid > SSIZE_MAX - iov->iov_len) {
error = EINVAL;
goto done;
}