Yet another (unsigned) cast who's only purpose is to incorrectly truncate

a size_t. Multiply-overflow is checked beforehands.  If this could (it can't)
validly be more than 4GB, the (unsigned) is a truncation and causes copyin of
insufficient data, without indicating error...
ok claudio

1 files changed, 2 insertions, 2 deletions

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 4c34bfb7a32..f1f45715106 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_syscalls.c,v 1.180 2018/11/19 16:12:06 tedu Exp $	*/
+/*	$OpenBSD: uipc_syscalls.c,v 1.181 2019/03/04 07:09:54 deraadt Exp $	*/
 /*	$NetBSD: uipc_syscalls.c,v 1.19 1996/02/09 19:00:48 christos Exp $	*/
 
 /*
@@ -556,7 +556,7 @@ sys_sendmsg(struct proc *p, void *v, register_t *retval)
 		iov = aiov;
 	if (msg.msg_iovlen &&
 	    (error = copyin(msg.msg_iov, iov,
-		    (unsigned)(msg.msg_iovlen * sizeof (struct iovec)))))
+		    msg.msg_iovlen * sizeof (struct iovec))))
 		goto done;
 #ifdef KTRACE
 	if (msg.msg_iovlen && KTRPOINT(p, KTR_STRUCT))