git: 2a8c3e7b22c8 - stable/12 - sbuf_uionew(): sbuf_new() takes int as length

[Konstantin Belousov]

The branch stable/12 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=2a8c3e7b22c8d09233c148411a3169ca6a7f364d

commit 2a8c3e7b22c8d09233c148411a3169ca6a7f364d
Author:     Konstantin Belousov <kib at FreeBSD.org>
AuthorDate: 2021-04-13 19:12:19 +0000
Commit:     Konstantin Belousov <kib at FreeBSD.org>
CommitDate: 2021-05-01 00:38:30 +0000

    sbuf_uionew(): sbuf_new() takes int as length
    
    (cherry picked from commit 116f26f947b8bbf868dcd85d79226406029a45ee)
---
 sys/kern/subr_sbuf.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/kern/subr_sbuf.c b/sys/kern/subr_sbuf.c
index ac6bc14b7a8c..03f7b1e94c51 100644
--- a/sys/kern/subr_sbuf.c
+++ b/sys/kern/subr_sbuf.c
@@ -259,6 +259,10 @@ sbuf_uionew(struct sbuf *s, struct uio *uio, int *error)
 	KASSERT(error != NULL,
 	    ("%s called with NULL error pointer", __func__));
 
+	if (uio->uio_resid >= INT_MAX || uio->uio_resid < SBUF_MINSIZE - 1) {
+		*error = EINVAL;
+		return (NULL);
+	}
 	s = sbuf_new(s, NULL, uio->uio_resid + 1, 0);
 	if (s == NULL) {
 		*error = ENOMEM;