bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 21/29] device/ds_routines.c (device_write_get): check if io_count


From: Marin Ramesa
Subject: [PATCH 21/29] device/ds_routines.c (device_write_get): check if io_count is larger or equal to zero and cast it to size_t
Date: Mon, 9 Dec 2013 23:57:36 +0100

Check if member io_count is non-negative. If it is negative the call to
memcpy() will fail. Return KERN_INVALID_ARGUMENT in that case.

* device/ds_routines.c (device_write_get): Check if member io_count is 
non-negative.
(device_write_get) (memcpy) (io_data): Cast to (void *).
(device_write_get) (memcpy) (io_count): Cast to size_t.

---
 device/ds_routines.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/device/ds_routines.c b/device/ds_routines.c
index 03c680f..309355e 100644
--- a/device/ds_routines.c
+++ b/device/ds_routines.c
@@ -856,7 +856,10 @@ device_write_get(ior, wait)
        if (ior->io_op & IO_INBAND) {
            assert(ior->io_count <= sizeof (io_buf_ptr_inband_t));
            new_addr = kmem_cache_alloc(&io_inband_cache);
-           memcpy((void*)new_addr, ior->io_data, ior->io_count);
+           if (ior->io_count >= 0)
+               memcpy((void *)new_addr, (void *)ior->io_data, 
(size_t)ior->io_count);
+           else
+               return KERN_INVALID_ARGUMENT;
            ior->io_data = (io_buf_ptr_t)new_addr;
            ior->io_alloc_size = sizeof (io_buf_ptr_inband_t);
 
-- 
1.8.1.4




reply via email to

[Prev in Thread] Current Thread [Next in Thread]