Fixed overflow in the bounds checking in dscheck(). It assumed that

daadr_t is no larger than a long, and some other relatively harmless
things (*blush*).  Overflow for subtracting a daddr_t from a u_long
caused "truncation" of the i/o for attempts to access blocks beyond
the end of the actually cause expansion of the i/o to a preposterous
size.

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/kern/subr_diskslice.c b/sys/kern/subr_diskslice.c
index 9259bf8..a52e301 100644
--- a/sys/kern/subr_diskslice.c
+++ b/sys/kern/subr_diskslice.c
@@ -56,6 +56,7 @@
 #include <sys/fcntl.h>
 #include <sys/malloc.h>
 #include <sys/stat.h>
+#include <sys/stdint.h>
 #include <sys/syslog.h>
 #include <sys/vnode.h>
 
@@ -224,19 +225,18 @@ if (labelsect != 0) Debugger("labelsect != 0 in dscheck()");
 #endif
 
 	/* beyond partition? */
-	if (secno + nsec > endsecno) {
+	if ((uintmax_t)secno + nsec > endsecno) {
 		/* if exactly at end of disk, return an EOF */
 		if (secno == endsecno) {
 			bp->bio_resid = bp->bio_bcount;
 			return (0);
 		}
 		/* or truncate if part of it fits */
-		nsec = endsecno - secno;
-		if (nsec <= 0) {
+		if (secno > endsecno) {
 			bp->bio_error = EINVAL;
 			goto bad;
 		}
-		bp->bio_bcount = nsec * ssp->dss_secsize;
+		bp->bio_bcount = (endsecno - secno) * ssp->dss_secsize;
 	}
 
 	bp->bio_pblkno = sp->ds_offset + slicerel_secno;