From 6438c894da90fe46c8a2886d8be6c11b8d0225b3 Mon Sep 17 00:00:00 2001
From: Bruce Evans <bde@FreeBSD.org>
Date: Thu, 6 Jun 2002 00:35:07 +0000
Subject: Fixed overflow in the bounds checking in dscheck().  It assumed that
 daadr_t is no larger than a long, and some other relatively harmless things
 (*blush*).  Overflow for subtracting a daddr_t from a u_long caused
 "truncation" of the i/o for attempts to access blocks beyond the end of the
 actually cause expansion of the i/o to a preposterous size.

---
 sys/kern/subr_diskslice.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'sys/kern/subr_diskslice.c')

diff --git a/sys/kern/subr_diskslice.c b/sys/kern/subr_diskslice.c
index 9259bf8124fc..a52e301a9736 100644
--- a/sys/kern/subr_diskslice.c
+++ b/sys/kern/subr_diskslice.c
@@ -56,6 +56,7 @@
 #include <sys/fcntl.h>
 #include <sys/malloc.h>
 #include <sys/stat.h>
+#include <sys/stdint.h>
 #include <sys/syslog.h>
 #include <sys/vnode.h>
 
@@ -224,19 +225,18 @@ if (labelsect != 0) Debugger("labelsect != 0 in dscheck()");
 #endif
 
 	/* beyond partition? */
-	if (secno + nsec > endsecno) {
+	if ((uintmax_t)secno + nsec > endsecno) {
 		/* if exactly at end of disk, return an EOF */
 		if (secno == endsecno) {
 			bp->bio_resid = bp->bio_bcount;
 			return (0);
 		}
 		/* or truncate if part of it fits */
-		nsec = endsecno - secno;
-		if (nsec <= 0) {
+		if (secno > endsecno) {
 			bp->bio_error = EINVAL;
 			goto bad;
 		}
-		bp->bio_bcount = nsec * ssp->dss_secsize;
+		bp->bio_bcount = (endsecno - secno) * ssp->dss_secsize;
 	}
 
 	bp->bio_pblkno = sp->ds_offset + slicerel_secno;
-- 
cgit v1.2.3