Check if member io_count is non-negative. If it's negative, the call to
device_read_alloc() will fail. Return KERN_INVALID_ARGUMENT in that case.
* device/blkio.c (block_io): Check if member io_count is non-negative.
---
device/blkio.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/device/blkio.c b/device/blkio.c
index 939067d..c989157 100644
--- a/device/blkio.c
+++ b/device/blkio.c
@@ -57,8 +57,12 @@ io_return_t block_io(strat, max_count, ior)
* If reading, allocate memory. If writing, wire
* down the incoming memory.
*/
- if (ior->io_op & IO_READ)
- rc = device_read_alloc(ior, (vm_size_t)ior->io_count);
+ if (ior->io_op & IO_READ) {
+ if (ior->io_count >= 0)
+ rc = device_read_alloc(ior, (vm_size_t)ior->io_count);
+ else
+ return KERN_INVALID_ARGUMENT;
+ }
else
rc = device_write_get(ior, &wait);
--
1.8.1.4
