From 97f1b9871ed4c8375554e98a9c3f22238c9a5096 Mon Sep 17 00:00:00 2001
From: Mike Pritchard <mpp@FreeBSD.org>
Date: Wed, 24 Jan 1996 18:52:18 +0000
Subject: [PATCH] Add a check to prevent a computation from underflowing and
 causing a panic due to an attaempt to allocate a buffer for a terabyte or so
 of data when an attempt is made to create sparse data (e.g. a holey file)
 more than 1 block past the end of the file.

Note:  some other areas of this code need to be looked at,
since they might cause problems when the file size exceeds 2GB,
due to storing results in ints when the computations are being
done with quad sized variables.

Reviewed by:	bde
---
 sys/nfs/nfs_bio.c       | 7 ++++---
 sys/nfsclient/nfs_bio.c | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/sys/nfs/nfs_bio.c b/sys/nfs/nfs_bio.c
index 4ae5efe89461..e375a4661c34 100644
--- a/sys/nfs/nfs_bio.c
+++ b/sys/nfs/nfs_bio.c
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs_bio.c	8.5 (Berkeley) 1/4/94
- * $Id: nfs_bio.c,v 1.20 1995/12/07 12:47:23 davidg Exp $
+ * $Id: nfs_bio.c,v 1.21 1995/12/17 21:12:13 phk Exp $
  */
 
 #include <sys/param.h>
@@ -211,7 +211,7 @@ nfs_bioread(vp, uio, ioflag, cred)
 		 */
 		if (nfs_numasync > 0 && nmp->nm_readahead > 0) {
 		    for (nra = 0; nra < nmp->nm_readahead &&
-			(lbn + 1 + nra) * biosize < np->n_size; nra++) {
+			(off_t)(lbn + 1 + nra) * biosize < np->n_size; nra++) {
 			rabn = lbn + 1 + nra;
 			if (!incore(vp, rabn)) {
 			    rabp = nfs_getcacheblk(vp, rabn, biosize, p);
@@ -240,7 +240,8 @@ nfs_bioread(vp, uio, ioflag, cred)
 		 */
 again:
 		bufsize = biosize;
-		if ((lbn + 1) * biosize > np->n_size) {
+		if ((off_t)(lbn + 1) * biosize > np->n_size && 
+		    (off_t)(lbn + 1) * biosize - np->n_size < biosize) {
 			bufsize = np->n_size - lbn * biosize;
 			bufsize = (bufsize + DEV_BSIZE - 1) & ~(DEV_BSIZE - 1);
 		}
diff --git a/sys/nfsclient/nfs_bio.c b/sys/nfsclient/nfs_bio.c
index 4ae5efe89461..e375a4661c34 100644
--- a/sys/nfsclient/nfs_bio.c
+++ b/sys/nfsclient/nfs_bio.c
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)nfs_bio.c	8.5 (Berkeley) 1/4/94
- * $Id: nfs_bio.c,v 1.20 1995/12/07 12:47:23 davidg Exp $
+ * $Id: nfs_bio.c,v 1.21 1995/12/17 21:12:13 phk Exp $
  */
 
 #include <sys/param.h>
@@ -211,7 +211,7 @@ nfs_bioread(vp, uio, ioflag, cred)
 		 */
 		if (nfs_numasync > 0 && nmp->nm_readahead > 0) {
 		    for (nra = 0; nra < nmp->nm_readahead &&
-			(lbn + 1 + nra) * biosize < np->n_size; nra++) {
+			(off_t)(lbn + 1 + nra) * biosize < np->n_size; nra++) {
 			rabn = lbn + 1 + nra;
 			if (!incore(vp, rabn)) {
 			    rabp = nfs_getcacheblk(vp, rabn, biosize, p);
@@ -240,7 +240,8 @@ nfs_bioread(vp, uio, ioflag, cred)
 		 */
 again:
 		bufsize = biosize;
-		if ((lbn + 1) * biosize > np->n_size) {
+		if ((off_t)(lbn + 1) * biosize > np->n_size && 
+		    (off_t)(lbn + 1) * biosize - np->n_size < biosize) {
 			bufsize = np->n_size - lbn * biosize;
 			bufsize = (bufsize + DEV_BSIZE - 1) & ~(DEV_BSIZE - 1);
 		}