kern

Taylor R Campbell Sun, 10 Jul 2022 16:12:19 -0700

Module Name:    src
Committed By:   riastradh
Date:           Sun Jul 10 23:12:12 UTC 2022


Modified Files:
        src/sys/kern: sys_generic.c

Log Message:
readv(2), writev(2): Avoid arithmetic overflow in bounds check.


To generate a diff of this commit:
cvs rdiff -u -r1.133 -r1.134 src/sys/kern/sys_generic.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/sys_generic.c
diff -u src/sys/kern/sys_generic.c:1.133 src/sys/kern/sys_generic.c:1.134
--- src/sys/kern/sys_generic.c:1.133	Sat Sep 11 10:08:55 2021
+++ src/sys/kern/sys_generic.c	Sun Jul 10 23:12:12 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: sys_generic.c,v 1.133 2021/09/11 10:08:55 riastradh Exp $	*/
+/*	$NetBSD: sys_generic.c,v 1.134 2022/07/10 23:12:12 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_generic.c,v 1.133 2021/09/11 10:08:55 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_generic.c,v 1.134 2022/07/10 23:12:12 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -255,7 +255,8 @@ do_filereadv(int fd, const struct iovec 
 		 * Therefore we must restrict the length to SSIZE_MAX to
 		 * avoid garbage return values.
 		 */
-		if (iov->iov_len > SSIZE_MAX || auio.uio_resid > SSIZE_MAX) {
+		if (iov->iov_len > SSIZE_MAX ||
+		    auio.uio_resid > SSIZE_MAX - iov->iov_len) {
 			error = EINVAL;
 			goto done;
 		}
@@ -456,7 +457,8 @@ do_filewritev(int fd, const struct iovec
 		 * Therefore we must restrict the length to SSIZE_MAX to
 		 * avoid garbage return values.
 		 */
-		if (iov->iov_len > SSIZE_MAX || auio.uio_resid > SSIZE_MAX) {
+		if (iov->iov_len > SSIZE_MAX ||
+		    auio.uio_resid > SSIZE_MAX - iov->iov_len) {
 			error = EINVAL;
 			goto done;
 		}

CVS commit: src/sys/kern

Reply via email to