Casting the result of ext2fs_size() and DIP(ip, size) to int potentially truncates the result. Issue found by Stefan Kempf, see https://marc.info/?l=openbsd-tech&m=145495905416536 .
While there I also removed the cast in the ext2fs_chmod() call, because the function expects a mode_t argument anyway. Comments? natano Index: ufs//ext2fs/ext2fs_readwrite.c =================================================================== RCS file: /cvs/src/sys/ufs/ext2fs/ext2fs_readwrite.c,v retrieving revision 1.37 diff -u -p -u -r1.37 ext2fs_readwrite.c --- ufs//ext2fs/ext2fs_readwrite.c 16 Feb 2016 17:56:12 -0000 1.37 +++ ufs//ext2fs/ext2fs_readwrite.c 17 Feb 2016 09:13:59 -0000 @@ -95,7 +95,7 @@ ext2_ind_read(struct vnode *vp, struct i panic("%s: mode", "ext2fs_read"); if (vp->v_type == VLNK) { - if ((int)ext2fs_size(ip) < vp->v_mount->mnt_maxsymlinklen || + if (ext2fs_size(ip) < vp->v_mount->mnt_maxsymlinklen || (vp->v_mount->mnt_maxsymlinklen == 0 && ip->i_e2fs_nblock == 0)) panic("%s: short symlink", "ext2fs_read"); Index: ufs//ext2fs/ext2fs_vnops.c =================================================================== RCS file: /cvs/src/sys/ufs/ext2fs/ext2fs_vnops.c,v retrieving revision 1.74 diff -u -p -u -r1.74 ext2fs_vnops.c --- ufs//ext2fs/ext2fs_vnops.c 16 Feb 2016 17:56:12 -0000 1.74 +++ ufs//ext2fs/ext2fs_vnops.c 17 Feb 2016 09:13:59 -0000 @@ -322,7 +322,7 @@ ext2fs_setattr(void *v) if (vap->va_mode != (mode_t)VNOVAL) { if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); - error = ext2fs_chmod(vp, (int)vap->va_mode, cred, p); + error = ext2fs_chmod(vp, vap->va_mode, cred, p); } return (error); } Index: ufs//ffs/ffs_vnops.c =================================================================== RCS file: /cvs/src/sys/ufs/ffs/ffs_vnops.c,v retrieving revision 1.82 diff -u -p -u -r1.82 ffs_vnops.c --- ufs//ffs/ffs_vnops.c 16 Feb 2016 17:56:12 -0000 1.82 +++ ufs//ffs/ffs_vnops.c 17 Feb 2016 09:13:59 -0000 @@ -207,7 +207,7 @@ ffs_read(void *v) panic("ffs_read: mode"); if (vp->v_type == VLNK) { - if ((int)DIP(ip, size) < vp->v_mount->mnt_maxsymlinklen || + if (DIP(ip, size) < vp->v_mount->mnt_maxsymlinklen || (vp->v_mount->mnt_maxsymlinklen == 0 && DIP(ip, blocks) == 0)) panic("ffs_read: short symlink");