From f2d72a68233b93339bcc87ab6e66368f7decbe1e Mon Sep 17 00:00:00 2001 From: Miles Bader Date: Mon, 10 Apr 1995 16:16:03 +0000 Subject: (open_write, open_read): Bounds check I/O. --- devio/rdwr.c | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) (limited to 'devio') diff --git a/devio/rdwr.c b/devio/rdwr.c index 99ba9414..cda7635d 100644 --- a/devio/rdwr.c +++ b/devio/rdwr.c @@ -366,15 +366,14 @@ open_write(struct open *open, vm_address_t buf, vm_size_t len, error_t err; struct rdwr_state state; struct dev *dev = open->dev; -#ifdef MSG - off_t start_offs; -#endif rdwr_state_init(&state, open, offs); -#ifdef MSG - start_offs = *state.offs_p; -#endif + offs = *state.offs_p; + if (offs < 0) + return EINVAL; + if (offs + len > dev->size) + return EIO; if (!dev_is(dev, DEV_BUFFERED)) err = raw_write(dev, buf, len, amount, state.offs_p); @@ -398,12 +397,12 @@ open_write(struct open *open, vm_address_t buf, vm_size_t len, mutex_lock(&debug_lock); fprintf(debug, "open_rdwr:\n using %s offset\n", - (offs == -1 || !dev_is(dev, DEV_BUFFERED)) + (state.user_offs == -1 || !dev_is(dev, DEV_BUFFERED)) ? (state.offs_p == &dev->io_state.location ? "device" : "open") : "msg"); fprintf(debug, " %s write(%s, %d, %d) => %s, %d\n", - mode, bstr, len, (int)start_offs, estr, *amount); + mode, bstr, len, (int)offs, estr, *amount); fprintf(debug, " offset = %d\n", (int)*state.offs_p); mutex_unlock(&debug_lock); } @@ -424,15 +423,14 @@ open_read(struct open *open, vm_address_t *buf, vm_size_t *buf_len, error_t err; struct rdwr_state state; struct dev *dev = open->dev; -#ifdef MSG - off_t start_offs; -#endif rdwr_state_init(&state, open, offs); -#ifdef MSG - start_offs = *state.offs_p; -#endif + offs = *state.offs_p; + if (offs < 0) + return EINVAL; + if (offs + amount > dev->size) + return EIO; if (!dev_is(dev, DEV_BUFFERED)) err = raw_read(dev, buf, buf_len, amount, state.offs_p); @@ -456,12 +454,12 @@ open_read(struct open *open, vm_address_t *buf, vm_size_t *buf_len, mutex_lock(&debug_lock); fprintf(debug, "open_rdwr:\n using %s offset\n", - (offs == -1 || !dev_is(dev, DEV_BUFFERED)) + (state.user_offs == -1 || !dev_is(dev, DEV_BUFFERED)) ? (state.offs_p == &dev->io_state.location ? "device" : "open") : "msg"); fprintf(debug, " %s read(%d, %d) => %s, %s, %d\n", - mode, amount, (int)start_offs, estr, bstr, *buf_len); + mode, amount, (int)offs, estr, bstr, *buf_len); fprintf(debug, " offset = %d\n", (int)*state.offs_p); mutex_unlock(&debug_lock); } -- cgit v1.2.3