From 54c0eb9aa642098413fc0ebe93d72fc1e086e733 Mon Sep 17 00:00:00 2001
From: Thomas Veerman <thomas@minix3.org>
Date: Fri, 16 Dec 2011 08:45:04 +0000
Subject: [PATCH] Compare read/write buf size against SSIZE_MAX instead of "<
 0"

The nbyte in read(int fildes, void *buf, size_t nbyte) is unsigned,
so although technically we're doing the same comparison, this is more
in line with POSIX.

The comparison was moved to read_write as that routine is used within
VFS to let it VFS write out coredumps.
---
 servers/avfs/read.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/servers/avfs/read.c b/servers/avfs/read.c
index fd97cc37d..24f3eb677 100644
--- a/servers/avfs/read.c
+++ b/servers/avfs/read.c
@@ -78,9 +78,6 @@ int rw_flag;			/* READING or WRITING */
   tll_access_t locktype;
   int r;
 
-  /* If the file descriptor is valid, get the vnode, size and mode. */
-  if (m_in.nbytes < 0) return(EINVAL);
-
   locktype = (rw_flag == READING) ? VNODE_READ : VNODE_WRITE;
   if ((f = get_filp(m_in.fd, locktype)) == NULL) return(err_code);
   if (((f->filp_mode) & (rw_flag == READING ? R_BIT : W_BIT)) == 0) {
@@ -116,6 +113,8 @@ PUBLIC int read_write(int rw_flag, struct filp *f, char *buf, size_t size,
   r = OK;
   cum_io = 0;
 
+  if (size > SSIZE_MAX) return(EINVAL);
+
   if (vp->v_pipe == I_PIPE) {
 	if (fp->fp_cum_io_partial != 0) {
 		panic("VFS: read_write: fp_cum_io_partial not clear");
-- 
2.44.0