diff options
| author | Konstantin Belousov <kib@FreeBSD.org> | 2021-04-13 19:12:19 +0000 |
|---|---|---|
| committer | Konstantin Belousov <kib@FreeBSD.org> | 2021-04-14 07:23:20 +0000 |
| commit | 116f26f947b8bbf868dcd85d79226406029a45ee (patch) | |
| tree | 13a3020de7c560545d2e20be7f83ed367458eb74 | |
| parent | fb451895fba7dee139594c722adb5f79af154341 (diff) | |
| download | src-116f26f947b8bbf868dcd85d79226406029a45ee.tar.gz src-116f26f947b8bbf868dcd85d79226406029a45ee.zip | |
sbuf_uionew(): sbuf_new() takes int as length
and length should be not less than SBUF_MINSIZE
Reported and tested by: pho
Noted and reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D29752
| -rw-r--r-- | sys/kern/subr_sbuf.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/kern/subr_sbuf.c b/sys/kern/subr_sbuf.c index cdeaf690208f..b7f135e81206 100644 --- a/sys/kern/subr_sbuf.c +++ b/sys/kern/subr_sbuf.c @@ -266,6 +266,10 @@ sbuf_uionew(struct sbuf *s, struct uio *uio, int *error) KASSERT(error != NULL, ("%s called with NULL error pointer", __func__)); + if (uio->uio_resid >= INT_MAX || uio->uio_resid < SBUF_MINSIZE - 1) { + *error = EINVAL; + return (NULL); + } s = sbuf_new(s, NULL, uio->uio_resid + 1, 0); if (s == NULL) { *error = ENOMEM; |