From fca26c8f08a50b2597e621370bef424312ff47e8 Mon Sep 17 00:00:00 2001 From: miod Date: Fri, 6 Aug 2010 00:00:38 +0000 Subject: [PATCH] Every time you ignore uiomove() return value, $DEITY kills a little $ADORABLE_FELINE. ok deraadt@ matthew@ --- sys/arch/sparc/dev/bpp.c | 6 ++++-- sys/dev/ic/lpt.c | 6 ++++-- sys/kern/tty_pty.c | 6 ++++-- sys/ntfs/ntfs_subr.c | 42 ++++++++++++++++++++++++++-------------- 4 files changed, 40 insertions(+), 20 deletions(-) diff --git a/sys/arch/sparc/dev/bpp.c b/sys/arch/sparc/dev/bpp.c index 774f693efb0..242f4bd1292 100644 --- a/sys/arch/sparc/dev/bpp.c +++ b/sys/arch/sparc/dev/bpp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bpp.c,v 1.4 2003/06/03 21:09:02 deraadt Exp $ */ +/* $OpenBSD: bpp.c,v 1.5 2010/08/06 00:00:38 miod Exp $ */ /* * Copyright (c) 1997, Jason Downs. All rights reserved. @@ -273,7 +273,9 @@ bppwrite(dev, uio, flags) int error = 0; while ((n = min(BPP_BSIZE, uio->uio_resid)) != 0) { - uiomove(bpp->sc_cp = bpp->sc_inbuf->b_data, n, uio); + error = uiomove(bpp->sc_cp = bpp->sc_inbuf->b_data, n, uio); + if (error != 0) + return error; bpp->sc_count = n; error = bpppushbytes(bpp); if (error) { diff --git a/sys/dev/ic/lpt.c b/sys/dev/ic/lpt.c index 9f7ba6cb891..4d2b1b50eb2 100644 --- a/sys/dev/ic/lpt.c +++ b/sys/dev/ic/lpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lpt.c,v 1.6 2010/06/26 23:24:44 guenther Exp $ */ +/* $OpenBSD: lpt.c,v 1.7 2010/08/06 00:00:41 miod Exp $ */ /* $NetBSD: lpt.c,v 1.42 1996/10/21 22:41:14 thorpej Exp $ */ /* @@ -373,7 +373,9 @@ lptwrite(dev, uio, flags) int error = 0; while ((n = min(LPT_BSIZE, uio->uio_resid)) != 0) { - uiomove(sc->sc_cp = sc->sc_inbuf->b_data, n, uio); + error = uiomove(sc->sc_cp = sc->sc_inbuf->b_data, n, uio); + if (error != 0) + return error; sc->sc_count = n; error = lptpushbytes(sc); if (error) { diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c index 5ea88c167fd..dd3b30650e7 100644 --- a/sys/kern/tty_pty.c +++ b/sys/kern/tty_pty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tty_pty.c,v 1.50 2010/07/26 01:56:27 guenther Exp $ */ +/* $OpenBSD: tty_pty.c,v 1.51 2010/08/06 00:00:41 miod Exp $ */ /* $NetBSD: tty_pty.c,v 1.33.4.1 1996/06/02 09:08:11 mrg Exp $ */ /* @@ -464,7 +464,9 @@ ptcread(dev_t dev, struct uio *uio, int flag) if (pti->pt_send & TIOCPKT_IOCTL) { cc = MIN(uio->uio_resid, sizeof(tp->t_termios)); - uiomove(&tp->t_termios, cc, uio); + error = uiomove(&tp->t_termios, cc, uio); + if (error) + return (error); } pti->pt_send = 0; return (0); diff --git a/sys/ntfs/ntfs_subr.c b/sys/ntfs/ntfs_subr.c index 00b57cdec67..dd31056459d 100644 --- a/sys/ntfs/ntfs_subr.c +++ b/sys/ntfs/ntfs_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntfs_subr.c,v 1.18 2009/08/13 16:00:53 jasper Exp $ */ +/* $OpenBSD: ntfs_subr.c,v 1.19 2010/08/06 00:00:41 miod Exp $ */ /* $NetBSD: ntfs_subr.c,v 1.4 2003/04/10 21:37:32 jdolecek Exp $ */ /*- @@ -1517,9 +1517,11 @@ ntfs_writentvattr_plain( return (error); } } - if (uio) - uiomove(bp->b_data + off, tocopy, uio); - else + if (uio) { + error = uiomove(bp->b_data + off, tocopy, uio); + if (error != 0) + break; + } else memcpy(bp->b_data + off, data, tocopy); bawrite(bp); data = data + tocopy; @@ -1531,7 +1533,7 @@ ntfs_writentvattr_plain( } } - if (left) { + if (left && error == 0) { printf("ntfs_writentvattr_plain: POSSIBLE RUN ERROR\n"); error = EINVAL; } @@ -1624,8 +1626,10 @@ ntfs_readntvattr_plain( return (error); } if (uio) { - uiomove(bp->b_data + off, + error = uiomove(bp->b_data + off, tocopy, uio); + if (error != 0) + break; } else { memcpy(data, bp->b_data + off, tocopy); @@ -1650,22 +1654,27 @@ ntfs_readntvattr_plain( off = 0; if (uio) { size_t remains = tocopy; - for(; remains; remains--) - uiomove("", 1, uio); + for(; remains; remains--) { + error = uiomove("", 1, uio); + if (error != 0) + break; + } } else bzero(data, tocopy); data = data + tocopy; } cnt++; + if (error != 0) + break; } - if (left) { + if (left && error == 0) { printf("ntfs_readntvattr_plain: POSSIBLE RUN ERROR\n"); error = E2BIG; } } else { ddprintf(("ntfs_readnvattr_plain: data is in mft record\n")); if (uio) - uiomove(vap->va_datap + roff, rsize, uio); + error = uiomove(vap->va_datap + roff, rsize, uio); else memcpy(rdata, vap->va_datap + roff, rsize); *initp += rsize; @@ -1792,14 +1801,17 @@ ntfs_readattr( if (init == ntfs_cntob(NTFS_COMPUNIT_CL)) { if (uio) - uiomove(cup + off, tocopy, uio); + error = uiomove(cup + off, tocopy, uio); else memcpy(data, cup + off, tocopy); } else if (init == 0) { if (uio) { size_t remains = tocopy; - for(; remains; remains--) - uiomove("", 1, uio); + for(; remains; remains--) { + error = uiomove("", 1, uio); + if (error != 0) + break; + } } else bzero(data, tocopy); @@ -1808,10 +1820,12 @@ ntfs_readattr( if (error) break; if (uio) - uiomove(uup + off, tocopy, uio); + error = uiomove(uup + off, tocopy, uio); else memcpy(data, uup + off, tocopy); } + if (error) + break; left -= tocopy; data = data + tocopy; -- 2.20.1