From 70ede44dcc23137f8f48af5527c183dc1f9276a7 Mon Sep 17 00:00:00 2001 From: Kenneth R Westerback Date: Mon, 11 Jan 2010 05:37:29 +0000 Subject: Negative offset or negative size in a buf is invalid. Treat just like other invalid offsets and sizes: reject the i/o. ok deraadt@ beck@ --- sys/kern/subr_disk.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'sys') diff --git a/sys/kern/subr_disk.c b/sys/kern/subr_disk.c index 077b0874e77..2b14e8d54ec 100644 --- a/sys/kern/subr_disk.c +++ b/sys/kern/subr_disk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: subr_disk.c,v 1.97 2009/08/13 15:23:11 deraadt Exp $ */ +/* $OpenBSD: subr_disk.c,v 1.98 2010/01/11 05:37:28 krw Exp $ */ /* $NetBSD: subr_disk.c,v 1.17 1996/03/16 23:17:08 christos Exp $ */ /* @@ -668,13 +668,10 @@ bounds_check_with_label(struct buf *bp, struct disklabel *lp, int wlabel) struct partition *p = &lp->d_partitions[DISKPART(bp->b_dev)]; daddr64_t sz = howmany(bp->b_bcount, DEV_BSIZE); - /* avoid division by zero */ - if (lp->d_secpercyl == 0) + /* Avoid division by zero, negative offsets and negative sizes. */ + if (lp->d_secpercyl == 0 || bp->b_blkno < 0 || sz < 0) goto bad; - if (bp->b_blkno < 0 || sz < 0) - panic("bounds_check_with_label %lld %lld\n", bp->b_blkno, sz); - /* beyond partition? */ if (bp->b_blkno + sz > DL_SECTOBLK(lp, DL_GETPSIZE(p))) { sz = DL_SECTOBLK(lp, DL_GETPSIZE(p)) - bp->b_blkno; -- cgit v1.2.3