Thanks. A similar diff was discussed privately with a few
developers during the last few days and is about to be
committed soon.
Martin Natano wrote:
> Another integer overflow: A recv() call with a size of 2^32 bytes causes
> soreceive() to spin in an endless loop, resulting in a system freeze.
Another integer overflow: A recv() call with a size of 2^32 bytes causes
soreceive() to spin in an endless loop, resulting in a system freeze.
The diff below prevents this behaviour by establishing an upper bound
for uio_resid before assigning the value to an integer variable with
smaller width.
