"Todd C. Miller" <Todd.Millerat_private> writes: > In message <xzphg0357ze.fsfat_private> > so spake (dag-erli): > > > /sys/kern/sys_generic.c: > > if (uap->iovcnt > UIO_MAXIOV) > > return (EINVAL); > > We are talking about uio_resid not uio_iovcnt. *thwap* my mistake. The relevant piece of code is: /sys/kern/sys_generic.c: auio.uio_resid = 0; for (i = 0; i < uap->iovcnt; i++) { auio.uio_resid += iov->iov_len; if (auio.uio_resid < 0) { error = EINVAL; goto done; } iov++; } and since, as someone pointed out, iov->iov_len is a size_t, it doesn't make sense to check for negative values of auio.uio_resid. The problem arises from auio.uio_resid being an int rather than a size_t. DES (open mouth, insert foot, echo internationally) -- Dag-Erling Smørgrav - dag-erliat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:36 PDT