syscall() fuzzing can trigger this panic. Return EINVAL instead.

MFC after: 1 week
author: pho <pho@FreeBSD.org> 2012-03-08 12:49:08 +0000
committer: pho <pho@FreeBSD.org> 2012-03-08 12:49:08 +0000
commit: ab94e0990912f79ac6b7bfbd4fdd1f430897cde8 (patch)
tree: 5ec68963cdaa8c0b226efd3ff42c16a77a9b9005 /sys/ufs
parent: d8060072d1c3c7524d479041d0b27e86668a0fe9 (diff)
download: FreeBSD-src-ab94e0990912f79ac6b7bfbd4fdd1f430897cde8.zip
FreeBSD-src-ab94e0990912f79ac6b7bfbd4fdd1f430897cde8.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/ufs/ffs/ffs_vnops.c b/sys/ufs/ffs/ffs_vnops.c
index 9e8648e..5535855 100644
--- a/sys/ufs/ffs/ffs_vnops.c
+++ b/sys/ufs/ffs/ffs_vnops.c
@@ -464,11 +464,11 @@ ffs_read(ap)
 	} else if (vp->v_type != VREG && vp->v_type != VDIR)
 		panic("ffs_read: type %d",  vp->v_type);
 #endif
+	if (uio->uio_resid < 0 || uio->uio_offset < 0)
+		return (EINVAL);
 	orig_resid = uio->uio_resid;
-	KASSERT(orig_resid >= 0, ("ffs_read: uio->uio_resid < 0"));
 	if (orig_resid == 0)
 		return (0);
-	KASSERT(uio->uio_offset >= 0, ("ffs_read: uio->uio_offset < 0"));
 	fs = ip->i_fs;
 	if (uio->uio_offset < ip->i_size &&
 	    uio->uio_offset >= fs->fs_maxfilesize)
author	pho <pho@FreeBSD.org>	2012-03-08 12:49:08 +0000
committer	pho <pho@FreeBSD.org>	2012-03-08 12:49:08 +0000
commit	ab94e0990912f79ac6b7bfbd4fdd1f430897cde8 (patch)
tree	5ec68963cdaa8c0b226efd3ff42c16a77a9b9005 /sys/ufs
parent	d8060072d1c3c7524d479041d0b27e86668a0fe9 (diff)
download	FreeBSD-src-ab94e0990912f79ac6b7bfbd4fdd1f430897cde8.zip FreeBSD-src-ab94e0990912f79ac6b7bfbd4fdd1f430897cde8.tar.gz