diff options
author | pho <pho@FreeBSD.org> | 2012-03-08 12:49:08 +0000 |
---|---|---|
committer | pho <pho@FreeBSD.org> | 2012-03-08 12:49:08 +0000 |
commit | ab94e0990912f79ac6b7bfbd4fdd1f430897cde8 (patch) | |
tree | 5ec68963cdaa8c0b226efd3ff42c16a77a9b9005 /sys/ufs | |
parent | d8060072d1c3c7524d479041d0b27e86668a0fe9 (diff) | |
download | FreeBSD-src-ab94e0990912f79ac6b7bfbd4fdd1f430897cde8.zip FreeBSD-src-ab94e0990912f79ac6b7bfbd4fdd1f430897cde8.tar.gz |
syscall() fuzzing can trigger this panic. Return EINVAL instead.
MFC after: 1 week
Diffstat (limited to 'sys/ufs')
-rw-r--r-- | sys/ufs/ffs/ffs_vnops.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/ufs/ffs/ffs_vnops.c b/sys/ufs/ffs/ffs_vnops.c index 9e8648e..5535855 100644 --- a/sys/ufs/ffs/ffs_vnops.c +++ b/sys/ufs/ffs/ffs_vnops.c @@ -464,11 +464,11 @@ ffs_read(ap) } else if (vp->v_type != VREG && vp->v_type != VDIR) panic("ffs_read: type %d", vp->v_type); #endif + if (uio->uio_resid < 0 || uio->uio_offset < 0) + return (EINVAL); orig_resid = uio->uio_resid; - KASSERT(orig_resid >= 0, ("ffs_read: uio->uio_resid < 0")); if (orig_resid == 0) return (0); - KASSERT(uio->uio_offset >= 0, ("ffs_read: uio->uio_offset < 0")); fs = ip->i_fs; if (uio->uio_offset < ip->i_size && uio->uio_offset >= fs->fs_maxfilesize) |