MFC r258088:

Add check for buflen overflow by comparing the buflen with both offset
and resid.

MFC r258397:
Redo r258088 to avoid relying on signed arithmetic overflow.

1 files changed, 4 insertions, 7 deletions

diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c
index 9f97cd3..f00b4b2 100644
--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@@ -616,8 +616,7 @@ pfs_read(struct vop_read_args *va)
 	struct proc *proc;
 	struct sbuf *sb = NULL;
 	int error, locked;
-	off_t offset;
-	ssize_t buflen, resid;
+	off_t buflen;
 
 	PFS_TRACE(("%s", pn->pn_name));
 	pfs_assert_not_owned(pn);
@@ -654,14 +653,12 @@ pfs_read(struct vop_read_args *va)
 		goto ret;
 	}
 
-	/* beaucoup sanity checks so we don't ask for bogus allocation */
-	if (uio->uio_offset < 0 || uio->uio_resid < 0 ||
-	    (offset = uio->uio_offset) != uio->uio_offset ||
-	    (resid = uio->uio_resid) != uio->uio_resid ||
-	    (buflen = offset + resid) < offset || buflen >= INT_MAX) {
+	if (uio->uio_resid < 0 || uio->uio_offset < 0 ||
+	    uio->uio_resid > OFF_MAX - uio->uio_offset) {
 		error = EINVAL;
 		goto ret;
 	}
+	buflen = uio->uio_offset + uio->uio_resid;
 	if (buflen > MAXPHYS)
 		buflen = MAXPHYS;