This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit 89df084b0e51593643ccc2f6427ac11c99243295
Author: wangjianyu3 <wangjian...@xiaomi.com>
AuthorDate: Wed Jun 4 12:46:16 2025 +0800
fs/vfs: check if all `iov_base` are accessible
Check if all `iov_base` are inside accessible address space.
Signed-off-by: wangjianyu3 <wangjian...@xiaomi.com>
---
fs/vfs/fs_read.c | 14 +++++++++++++-
fs/vfs/fs_write.c | 13 ++++++++++++-
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/fs/vfs/fs_read.c b/fs/vfs/fs_read.c
index f21107182b..0c99509cba 100644
--- a/fs/vfs/fs_read.c
+++ b/fs/vfs/fs_read.c
@@ -159,11 +159,23 @@ ssize_t file_readv(FAR struct file *filep,
FAR const struct iovec *iov, int iovcnt)
{
FAR struct inode *inode;
- ssize_t ret = -EBADF;
+ ssize_t ret;
DEBUGASSERT(filep);
inode = filep->f_inode;
+ /* Are all iov_base accessible? */
+
+ for (ret = 0; ret < iovcnt; ret++)
+ {
+ if (iov[ret].iov_base == NULL && iov[ret].iov_len != 0)
+ {
+ return -EFAULT;
+ }
+ }
+
+ ret = -EBADF;
+
/* Was this file opened for read access? */
if ((filep->f_oflags & O_RDOK) == 0)
diff --git a/fs/vfs/fs_write.c b/fs/vfs/fs_write.c
index 22195de380..896e256040 100644
--- a/fs/vfs/fs_write.c
+++ b/fs/vfs/fs_write.c
@@ -144,7 +144,7 @@ ssize_t file_writev(FAR struct file *filep,
FAR const struct iovec *iov, int iovcnt)
{
FAR struct inode *inode;
- ssize_t ret = -EBADF;
+ ssize_t ret;
/* Was this file opened for write access? */
@@ -153,10 +153,21 @@ ssize_t file_writev(FAR struct file *filep,
return -EACCES;
}
+ /* Are all iov_base accessible? */
+
+ for (ret = 0; ret < iovcnt; ret++)
+ {
+ if (iov[ret].iov_base == NULL && iov[ret].iov_len != 0)
+ {
+ return -EFAULT;
+ }
+ }
+
/* Is a driver registered? Does it support the write method?
* If yes, then let the driver perform the write.
*/
+ ret = -EBADF;
inode = filep->f_inode;
if (inode != NULL && inode->u.i_ops)
{
