diff options
author | bde <bde@FreeBSD.org> | 2002-06-06 00:35:07 +0000 |
---|---|---|
committer | bde <bde@FreeBSD.org> | 2002-06-06 00:35:07 +0000 |
commit | f55264a991f870cdb779c4ba9fc224190459b2f2 (patch) | |
tree | 27457c04f8a31c9b3fcffb85c1ae4f9122df8276 /sys/kern | |
parent | 0a075ee9e1c8bf6843356d6b6264ed72e41fdfa9 (diff) | |
download | FreeBSD-src-f55264a991f870cdb779c4ba9fc224190459b2f2.zip FreeBSD-src-f55264a991f870cdb779c4ba9fc224190459b2f2.tar.gz |
Fixed overflow in the bounds checking in dscheck(). It assumed that
daadr_t is no larger than a long, and some other relatively harmless
things (*blush*). Overflow for subtracting a daddr_t from a u_long
caused "truncation" of the i/o for attempts to access blocks beyond
the end of the actually cause expansion of the i/o to a preposterous
size.
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/subr_diskslice.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/kern/subr_diskslice.c b/sys/kern/subr_diskslice.c index 9259bf8..a52e301 100644 --- a/sys/kern/subr_diskslice.c +++ b/sys/kern/subr_diskslice.c @@ -56,6 +56,7 @@ #include <sys/fcntl.h> #include <sys/malloc.h> #include <sys/stat.h> +#include <sys/stdint.h> #include <sys/syslog.h> #include <sys/vnode.h> @@ -224,19 +225,18 @@ if (labelsect != 0) Debugger("labelsect != 0 in dscheck()"); #endif /* beyond partition? */ - if (secno + nsec > endsecno) { + if ((uintmax_t)secno + nsec > endsecno) { /* if exactly at end of disk, return an EOF */ if (secno == endsecno) { bp->bio_resid = bp->bio_bcount; return (0); } /* or truncate if part of it fits */ - nsec = endsecno - secno; - if (nsec <= 0) { + if (secno > endsecno) { bp->bio_error = EINVAL; goto bad; } - bp->bio_bcount = nsec * ssp->dss_secsize; + bp->bio_bcount = (endsecno - secno) * ssp->dss_secsize; } bp->bio_pblkno = sp->ds_offset + slicerel_secno; |