Check if member io_count is non-negative. If it is negative the call to
device_read_alloc() will fail. Return KERN_INVALID_ARGUMENT in that case.
* device/kmsg.c (kmsgread): Check if member io_count is non-negative.
(kmsgread) (device_read_alloc) (io_count): Cast to vm_size_t.
---
device/kmsg.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/device/kmsg.c b/device/kmsg.c
index 7034bfc..d2710a3 100644
--- a/device/kmsg.c
+++ b/device/kmsg.c
@@ -96,7 +96,10 @@ kmsgread (dev_t dev, io_req_t ior)
int err;
int amt, len;
- err = device_read_alloc (ior, ior->io_count);
+ if (ior->io_count >= 0)
+ err = device_read_alloc (ior, (vm_size_t)ior->io_count);
+ else
+ return KERN_INVALID_ARGUMENT;
if (err != KERN_SUCCESS)
return err;
--
1.8.1.4
