Eliminate orig_errno, which could be uninitialized in one case, by doing

the emulation errno mapping directly into the register in the trapframe.
Range check the value in that case to guarantee there isn't an out-of-bounds
array access.

Uninitialized variable issue pointed out by David Hill.  Range check
suggested by matthew@

ok miod@

1 files changed, 8 insertions, 7 deletions

diff --git a/sys/arch/i386/i386/trap.c b/sys/arch/i386/i386/trap.c
index 1da69bf5848..a1bec669502 100644
--- a/sys/arch/i386/i386/trap.c
+++ b/sys/arch/i386/i386/trap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: trap.c,v 1.106 2012/10/31 03:30:22 jsg Exp $	*/
+/*	$OpenBSD: trap.c,v 1.107 2012/12/31 06:44:11 guenther Exp $	*/
 /*	$NetBSD: trap.c,v 1.95 1996/05/05 06:50:02 mycroft Exp $	*/
 
 /*-
@@ -542,7 +542,7 @@ syscall(struct trapframe *frame)
 	caddr_t params;
 	struct sysent *callp;
 	struct proc *p;
-	int orig_error, error, opc, nsys;
+	int error, opc, nsys;
 	register_t code, args[8], rval[2];
 #ifdef DIAGNOSTIC
 	int ocpl = lapic_tpr;
@@ -643,7 +643,7 @@ syscall(struct trapframe *frame)
 	rval[0] = 0;
 	rval[1] = frame->tf_edx;
 
-	orig_error = error = mi_syscall(p, code, callp, args, rval);
+	error = mi_syscall(p, code, callp, args, rval);
 
 	switch (error) {
 	case 0:
@@ -664,14 +664,15 @@ syscall(struct trapframe *frame)
 		break;
 	default:
 	bad:
-		if (p->p_emul->e_errno)
-			error = p->p_emul->e_errno[error];
-		frame->tf_eax = error;
+		if (p->p_emul->e_errno && error >= 0 && error <= ELAST)
+			frame->tf_eax = p->p_emul->e_errno[error];
+		else
+			frame->tf_eax = error;
 		frame->tf_eflags |= PSL_C;	/* carry bit */
 		break;
 	}
 
-	mi_syscall_return(p, code, orig_error, rval);
+	mi_syscall_return(p, code, error, rval);
 
 #ifdef DIAGNOSTIC
 	if (lapic_tpr != ocpl) {