Check if member io_count is non-negative. If it is negative the call
to device_read_alloc() will fail. Return KERN_INVALID_ARGUMENT in that
case.
* device/chario.c (char_read): Check if member io_count is non-negative.
---
device/chario.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/device/chario.c b/device/chario.c
index c9f946c..f912924 100644
--- a/device/chario.c
+++ b/device/chario.c
@@ -394,7 +394,11 @@ io_return_t char_read(
/*
* Allocate memory for read buffer.
*/
- rc = device_read_alloc(ior, (vm_size_t)ior->io_count);
+ if (ior->io_count >= 0)
+ rc = device_read_alloc(ior, (vm_size_t)ior->io_count);
+ else
+ return KERN_INVALID_ARGUMENT;
+
if (rc != KERN_SUCCESS)
return rc;
--
1.8.1.4
