[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 21/29] device/ds_routines.c (device_write_get): check if io_count
From: |
Marin Ramesa |
Subject: |
[PATCH 21/29] device/ds_routines.c (device_write_get): check if io_count is larger or equal to zero and cast it to size_t |
Date: |
Mon, 9 Dec 2013 23:57:36 +0100 |
Check if member io_count is non-negative. If it is negative the call to
memcpy() will fail. Return KERN_INVALID_ARGUMENT in that case.
* device/ds_routines.c (device_write_get): Check if member io_count is
non-negative.
(device_write_get) (memcpy) (io_data): Cast to (void *).
(device_write_get) (memcpy) (io_count): Cast to size_t.
---
device/ds_routines.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/device/ds_routines.c b/device/ds_routines.c
index 03c680f..309355e 100644
--- a/device/ds_routines.c
+++ b/device/ds_routines.c
@@ -856,7 +856,10 @@ device_write_get(ior, wait)
if (ior->io_op & IO_INBAND) {
assert(ior->io_count <= sizeof (io_buf_ptr_inband_t));
new_addr = kmem_cache_alloc(&io_inband_cache);
- memcpy((void*)new_addr, ior->io_data, ior->io_count);
+ if (ior->io_count >= 0)
+ memcpy((void *)new_addr, (void *)ior->io_data,
(size_t)ior->io_count);
+ else
+ return KERN_INVALID_ARGUMENT;
ior->io_data = (io_buf_ptr_t)new_addr;
ior->io_alloc_size = sizeof (io_buf_ptr_inband_t);
--
1.8.1.4
- [PATCH 13/29] device/dev_pager.c (device_pager_data_request): remove forward declaration, (continued)
- [PATCH 13/29] device/dev_pager.c (device_pager_data_request): remove forward declaration, Marin Ramesa, 2013/12/09
- [PATCH 14/29] device/dev_pager.c (device_pager_data_request): cast to (void *) instead to (char *), Marin Ramesa, 2013/12/09
- [PATCH 15/29] device/dev_pager.c (device_pager_data_request_done): check if io_count is larger or equal to zero and cast it to vm_size_t, Marin Ramesa, 2013/12/09
- [PATCH 16/29] device/dev_pager.c (device_pager_data_request_done): check if io_residual is larger or equal to zero and cast it to size_t, Marin Ramesa, 2013/12/09
- [PATCH 17/29] device/dev_pager.c (device_pager_data_request_done): remove unnecessary cast, Marin Ramesa, 2013/12/09
- [PATCH 18/29] device/dev_pager.c: remove forward declaration, Marin Ramesa, 2013/12/09
- [PATCH 19/29] device/dev_pager.c: remove forward declarations, Marin Ramesa, 2013/12/09
- [PATCH 20/29] device/ds_routines.c: remove forward declaration, Marin Ramesa, 2013/12/09
- [PATCH 21/29] device/ds_routines.c (device_write_get): check if io_count is larger or equal to zero and cast it to size_t,
Marin Ramesa <=
- [PATCH 22/29] device/kmsg.c (kmsgread): check if io_count is larger or equal to zero and cast it to vm_size_t, Marin Ramesa, 2013/12/09
- [PATCH 23/29] device/kmsg.c (kmsgread, kmsg_read_done): cast arguments to memcpy(), Marin Ramesa, 2013/12/09
- [PATCH 24/29] device/kmsg.c (kmsg_read_done): check if amt is negative, Marin Ramesa, 2013/12/09
- [PATCH 25/29] device/net_io.c: remove forward declarations, Marin Ramesa, 2013/12/09
- [PATCH 26/29] device/net_io.c (net_getstat): check if addr_byte_count is negative, Marin Ramesa, 2013/12/09
- [PATCH 27/29] device/net_io.c (net_getstat): cast arguments to memcpy(), Marin Ramesa, 2013/12/09
- [PATCH 28/29] device/net_io.c (net_getstat): cast arguments to memset(), Marin Ramesa, 2013/12/09