git: 116f26f947b8 - main - sbuf_uionew(): sbuf_new() takes int as length
Konstantin Belousov
kib at FreeBSD.org
Wed Apr 14 07:24:35 UTC 2021
The branch main has been updated by kib:
URL: https://cgit.FreeBSD.org/src/commit/?id=116f26f947b8bbf868dcd85d79226406029a45ee
commit 116f26f947b8bbf868dcd85d79226406029a45ee
Author: Konstantin Belousov <kib at FreeBSD.org>
AuthorDate: 2021-04-13 19:12:19 +0000
Commit: Konstantin Belousov <kib at FreeBSD.org>
CommitDate: 2021-04-14 07:23:20 +0000
sbuf_uionew(): sbuf_new() takes int as length
and length should be not less than SBUF_MINSIZE
Reported and tested by: pho
Noted and reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D29752
---
sys/kern/subr_sbuf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/kern/subr_sbuf.c b/sys/kern/subr_sbuf.c
index cdeaf690208f..b7f135e81206 100644
--- a/sys/kern/subr_sbuf.c
+++ b/sys/kern/subr_sbuf.c
@@ -266,6 +266,10 @@ sbuf_uionew(struct sbuf *s, struct uio *uio, int *error)
KASSERT(error != NULL,
("%s called with NULL error pointer", __func__));
+ if (uio->uio_resid >= INT_MAX || uio->uio_resid < SBUF_MINSIZE - 1) {
+ *error = EINVAL;
+ return (NULL);
+ }
s = sbuf_new(s, NULL, uio->uio_resid + 1, 0);
if (s == NULL) {
*error = ENOMEM;
More information about the dev-commits-src-main
mailing list