Date: Thu, 8 Mar 2012 12:49:08 +0000 (UTC) From: Peter Holm <pho@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r232692 - head/sys/ufs/ffs Message-ID: <201203081249.q28Cn9ed045648@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pho Date: Thu Mar 8 12:49:08 2012 New Revision: 232692 URL: http://svn.freebsd.org/changeset/base/232692 Log: syscall() fuzzing can trigger this panic. Return EINVAL instead. MFC after: 1 week Modified: head/sys/ufs/ffs/ffs_vnops.c Modified: head/sys/ufs/ffs/ffs_vnops.c ============================================================================== --- head/sys/ufs/ffs/ffs_vnops.c Thu Mar 8 11:05:53 2012 (r232691) +++ head/sys/ufs/ffs/ffs_vnops.c Thu Mar 8 12:49:08 2012 (r232692) @@ -464,11 +464,11 @@ ffs_read(ap) } else if (vp->v_type != VREG && vp->v_type != VDIR) panic("ffs_read: type %d", vp->v_type); #endif + if (uio->uio_resid < 0 || uio->uio_offset < 0) + return (EINVAL); orig_resid = uio->uio_resid; - KASSERT(orig_resid >= 0, ("ffs_read: uio->uio_resid < 0")); if (orig_resid == 0) return (0); - KASSERT(uio->uio_offset >= 0, ("ffs_read: uio->uio_offset < 0")); fs = ip->i_fs; if (uio->uio_offset < ip->i_size && uio->uio_offset >= fs->fs_maxfilesize)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203081249.q28Cn9ed045648>