Check if member io_count is non-negative. If it is negative the call to
memcpy() will fail. Return KERN_INVALID_ARGUMENT in that case.
* device/ds_routines.c (device_write_get): Check if member io_count is
non-negative.
(device_write_get) (memcpy) (io_data): Cast to (void *).
(device_write_get) (memcpy) (io_count): Cast to size_t.
---
device/ds_routines.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/device/ds_routines.c b/device/ds_routines.c
index 03c680f..309355e 100644
--- a/device/ds_routines.c
+++ b/device/ds_routines.c
@@ -856,7 +856,10 @@ device_write_get(ior, wait)
if (ior->io_op & IO_INBAND) {
assert(ior->io_count <= sizeof (io_buf_ptr_inband_t));
new_addr = kmem_cache_alloc(&io_inband_cache);
- memcpy((void*)new_addr, ior->io_data, ior->io_count);
+ if (ior->io_count >= 0)
+ memcpy((void *)new_addr, (void *)ior->io_data,
(size_t)ior->io_count);
+ else
+ return KERN_INVALID_ARGUMENT;
ior->io_data = (io_buf_ptr_t)new_addr;
ior->io_alloc_size = sizeof (io_buf_ptr_inband_t);
--
1.8.1.4
