Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 8 Mar 2012 12:49:08 +0000 (UTC)
From:      Peter Holm <pho@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r232692 - head/sys/ufs/ffs
Message-ID:  <201203081249.q28Cn9ed045648@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: pho
Date: Thu Mar  8 12:49:08 2012
New Revision: 232692
URL: http://svn.freebsd.org/changeset/base/232692

Log:
  syscall() fuzzing can trigger this panic. Return EINVAL instead.
  
  MFC after:	1 week

Modified:
  head/sys/ufs/ffs/ffs_vnops.c

Modified: head/sys/ufs/ffs/ffs_vnops.c
==============================================================================
--- head/sys/ufs/ffs/ffs_vnops.c	Thu Mar  8 11:05:53 2012	(r232691)
+++ head/sys/ufs/ffs/ffs_vnops.c	Thu Mar  8 12:49:08 2012	(r232692)
@@ -464,11 +464,11 @@ ffs_read(ap)
 	} else if (vp->v_type != VREG && vp->v_type != VDIR)
 		panic("ffs_read: type %d",  vp->v_type);
 #endif
+	if (uio->uio_resid < 0 || uio->uio_offset < 0)
+		return (EINVAL);
 	orig_resid = uio->uio_resid;
-	KASSERT(orig_resid >= 0, ("ffs_read: uio->uio_resid < 0"));
 	if (orig_resid == 0)
 		return (0);
-	KASSERT(uio->uio_offset >= 0, ("ffs_read: uio->uio_offset < 0"));
 	fs = ip->i_fs;
 	if (uio->uio_offset < ip->i_size &&
 	    uio->uio_offset >= fs->fs_maxfilesize)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203081249.q28Cn9ed045648>