More possible int overflows found by Silvio Cesare.

ibcs2_stat.c one OK by provos@

2 files changed, 15 insertions, 6 deletions

diff --git a/sys/compat/hpux/hpux_compat.c b/sys/compat/hpux/hpux_compat.c
index f537a2d370e..ac19d041061 100644
--- a/sys/compat/hpux/hpux_compat.c
+++ b/sys/compat/hpux/hpux_compat.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hpux_compat.c,v 1.19 2002/03/14 20:31:31 mickey Exp $	*/
+/*	$OpenBSD: hpux_compat.c,v 1.20 2002/08/02 18:06:25 millert Exp $	*/
 /*	$NetBSD: hpux_compat.c,v 1.35 1997/05/08 16:19:48 mycroft Exp $	*/
 
 /*
@@ -417,10 +417,14 @@ hpux_sys_utssys(p, v, retval)
 	/* gethostname */
 	case 5:
 		/* SCARG(uap, dev) is length */
-		if (SCARG(uap, dev) > hostnamelen + 1)
-			SCARG(uap, dev) = hostnamelen + 1;
-		error = copyout((caddr_t)hostname, (caddr_t)SCARG(uap, uts),
-				SCARG(uap, dev));
+		i = SCARG(uap, dev);
+		if (i < 0) {
+			error = EINVAL;
+			break;
+		}
+		if (i > hostnamelen + 1)
+			i = hostnamelen + 1;
+		error = copyout((caddr_t)hostname, (caddr_t)SCARG(uap, uts), i);
 		break;
 
 	case 1:	/* ?? */
diff --git a/sys/compat/ibcs2/ibcs2_stat.c b/sys/compat/ibcs2/ibcs2_stat.c
index 04534fc0eca..366f49f7a10 100644
--- a/sys/compat/ibcs2/ibcs2_stat.c
+++ b/sys/compat/ibcs2/ibcs2_stat.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ibcs2_stat.c,v 1.9 2002/03/14 20:31:31 mickey Exp $	*/
+/*	$OpenBSD: ibcs2_stat.c,v 1.10 2002/08/02 18:06:25 millert Exp $	*/
 /*	$NetBSD: ibcs2_stat.c,v 1.5 1996/05/03 17:05:32 christos Exp $	*/
 
 /*
@@ -84,6 +84,11 @@ cvt_statfs(sp, buf, len)
 {
 	struct ibcs2_statfs ssfs;
 
+	if (len < 0)
+		return (EINVAL);
+	if (len > sizeof(ssfs))
+		len = sizeof(ssfs);
+
 	bzero(&ssfs, sizeof ssfs);
 	ssfs.f_fstyp = 0;
 	ssfs.f_bsize = sp->f_bsize;