Check if amt is negative. If it is negative the call to memcpy()
will fail. In that case return FALSE.
* device/kmsg.c (kmsg_read_done): Check if amt is negative.
---
device/kmsg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/device/kmsg.c b/device/kmsg.c
index f6a21da..25fa91a 100644
--- a/device/kmsg.c
+++ b/device/kmsg.c
@@ -169,7 +169,8 @@ kmsg_read_done (io_req_t ior)
if (len < 0)
len += KMSGBUFSIZE;
- amt = ior->io_count;
+ if ((amt = ior->io_count) < 0)
+ return FALSE;
if (amt > len)
amt = len;
--
1.8.1.4
