diff options
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/kern_physio.c | 13 | ||||
| -rw-r--r-- | sys/scsi/scsi_ioctl.c | 10 |
2 files changed, 15 insertions, 8 deletions
diff --git a/sys/kern/kern_physio.c b/sys/kern/kern_physio.c index 25eb36a11a0..5a31a3aa7d4 100644 --- a/sys/kern/kern_physio.c +++ b/sys/kern/kern_physio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_physio.c,v 1.23 2005/11/28 00:14:28 jsg Exp $ */ +/* $OpenBSD: kern_physio.c,v 1.24 2005/12/08 14:02:47 krw Exp $ */ /* $NetBSD: kern_physio.c,v 1.28 1997/05/19 10:43:28 pk Exp $ */ /*- @@ -124,10 +124,19 @@ physio(void (*strategy)(struct buf *), struct buf *bp, dev_t dev, int flags, /* [set up the buffer for a maximum-sized transfer] */ bp->b_blkno = btodb(uio->uio_offset); - bp->b_bcount = iovp->iov_len; bp->b_data = iovp->iov_base; /* + * Because iov_len is unsigned but b_bcount is signed, + * an overflow is possible. Therefore bound to MAXPHYS + * before calling minphys. + */ + if (iovp->iov_len > MAXPHYS) + bp->b_bcount = MAXPHYS; + else + bp->b_bcount = iovp->iov_len; + + /* * [call minphys to bound the tranfer size] * and remember the amount of data to transfer, * for later comparison. diff --git a/sys/scsi/scsi_ioctl.c b/sys/scsi/scsi_ioctl.c index 6c6f0d3e6b9..c20b33f5086 100644 --- a/sys/scsi/scsi_ioctl.c +++ b/sys/scsi/scsi_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scsi_ioctl.c,v 1.21 2005/10/10 20:06:11 krw Exp $ */ +/* $OpenBSD: scsi_ioctl.c,v 1.22 2005/12/08 14:02:47 krw Exp $ */ /* $NetBSD: scsi_ioctl.c,v 1.23 1996/10/12 23:23:17 christos Exp $ */ /* @@ -378,18 +378,16 @@ scsi_do_ioctl( struct scsi_link *sc_link, dev_t dev, u_long cmd, caddr_t addr, case SCIOCCOMMAND: { scsireq_t *screq = (scsireq_t *)addr; struct scsi_ioctl *si; - int len; si = si_get(); si->si_screq = *screq; si->si_sc_link = sc_link; - len = screq->datalen; - if (len) { + if (screq->datalen) { si->si_iov.iov_base = screq->databuf; - si->si_iov.iov_len = len; + si->si_iov.iov_len = screq->datalen; si->si_uio.uio_iov = &si->si_iov; si->si_uio.uio_iovcnt = 1; - si->si_uio.uio_resid = len; + si->si_uio.uio_resid = screq->datalen; si->si_uio.uio_offset = 0; si->si_uio.uio_segflg = UIO_USERSPACE; si->si_uio.uio_rw = |