summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorKenneth R Westerback <krw@cvs.openbsd.org>2010-01-11 05:37:29 +0000
committerKenneth R Westerback <krw@cvs.openbsd.org>2010-01-11 05:37:29 +0000
commit70ede44dcc23137f8f48af5527c183dc1f9276a7 (patch)
treeaa7d40bdf93ce945223cb01d722b2459c38193e8 /sys
parent228d3990a924a2b72412ea337706ca2c8bdacca1 (diff)
Negative offset or negative size in a buf is invalid. Treat just like other
invalid offsets and sizes: reject the i/o. ok deraadt@ beck@
Diffstat (limited to 'sys')
-rw-r--r--sys/kern/subr_disk.c9
1 files changed, 3 insertions, 6 deletions
diff --git a/sys/kern/subr_disk.c b/sys/kern/subr_disk.c
index 077b0874e77..2b14e8d54ec 100644
--- a/sys/kern/subr_disk.c
+++ b/sys/kern/subr_disk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: subr_disk.c,v 1.97 2009/08/13 15:23:11 deraadt Exp $ */
+/* $OpenBSD: subr_disk.c,v 1.98 2010/01/11 05:37:28 krw Exp $ */
/* $NetBSD: subr_disk.c,v 1.17 1996/03/16 23:17:08 christos Exp $ */
/*
@@ -668,13 +668,10 @@ bounds_check_with_label(struct buf *bp, struct disklabel *lp, int wlabel)
struct partition *p = &lp->d_partitions[DISKPART(bp->b_dev)];
daddr64_t sz = howmany(bp->b_bcount, DEV_BSIZE);
- /* avoid division by zero */
- if (lp->d_secpercyl == 0)
+ /* Avoid division by zero, negative offsets and negative sizes. */
+ if (lp->d_secpercyl == 0 || bp->b_blkno < 0 || sz < 0)
goto bad;
- if (bp->b_blkno < 0 || sz < 0)
- panic("bounds_check_with_label %lld %lld\n", bp->b_blkno, sz);
-
/* beyond partition? */
if (bp->b_blkno + sz > DL_SECTOBLK(lp, DL_GETPSIZE(p))) {
sz = DL_SECTOBLK(lp, DL_GETPSIZE(p)) - bp->b_blkno;