chario.c (char_write): check if io_count is larger or equal to zero and cast it to vm_size_t

Marin Ramesa Mon, 09 Dec 2013 14:59:15 -0800

Check if member io_count is non-negative. If it is negative, the call to 
vm_deallocate() will fail. Return KERN_INVALID_ARGUMENT in that case.


* device/chario.c (char_write): Check if member io_count is non-negative.
(char_write) (vm_deallocate) (io_count): Cast to vm_size_t.

---
 device/chario.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/device/chario.c b/device/chario.c
index 8d68857..c9f946c 100644
--- a/device/chario.c
+++ b/device/chario.c
@@ -325,8 +325,12 @@ out:
        simple_unlock(&tp->t_lock);
        splx(s);
 
-       if (!(ior->io_op & IO_INBAND))
-           (void) vm_deallocate(device_io_map, addr, ior->io_count);
+       if (!(ior->io_op & IO_INBAND)) {
+           if (ior->io_count >= 0)
+               (void) vm_deallocate(device_io_map, addr, 
(vm_size_t)ior->io_count);
+           else
+               return KERN_INVALID_ARGUMENT;
+       }
        return rc;
 }
 
-- 
1.8.1.4

[PATCH 06/29] device/chario.c (char_write): check if io_count is larger or equal to zero and cast it to vm_size_t

Reply via email to