Negative offsets to pread/pwrite-family are only legal for character devices.

Pointed out by Alexander Polakov (polachok at gmail.com)
ok deraadt@

1 files changed, 15 insertions, 7 deletions

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 1455c18f62b..594916e142d 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.179 2011/11/05 15:47:37 guenther Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.180 2011/11/06 15:09:02 guenther Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -2885,6 +2885,8 @@ sys_pread(struct proc *p, void *v, register_t *retval)
 	iov.iov_len = SCARG(uap, nbyte);
 
 	offset = SCARG(uap, offset);
+	if (offset < 0 && vp->v_type != VCHR)
+		return (EINVAL);
 
 	FREF(fp);
 
@@ -2922,9 +2924,11 @@ sys_preadv(struct proc *p, void *v, register_t *retval)
 		return (ESPIPE);
 	}
 
-	FREF(fp);
-
 	offset = SCARG(uap, offset);
+	if (offset < 0 && vp->v_type != VCHR)
+		return (EINVAL);
+
+	FREF(fp);
 
 	/* dofilereadv() will FRELE the descriptor for us */
 	return (dofilereadv(p, fd, fp, SCARG(uap, iovp), SCARG(uap, iovcnt), 1,
@@ -2965,9 +2969,11 @@ sys_pwrite(struct proc *p, void *v, register_t *retval)
 	iov.iov_base = (void *)SCARG(uap, buf);
 	iov.iov_len = SCARG(uap, nbyte);
 
-	FREF(fp);
-
 	offset = SCARG(uap, offset);
+	if (offset < 0 && vp->v_type != VCHR)
+		return (EINVAL);
+
+	FREF(fp);
 
 	/* dofilewrite() will FRELE the descriptor for us */
 	return (dofilewritev(p, fd, fp, &iov, 1, 0, &offset, retval));
@@ -3003,9 +3009,11 @@ sys_pwritev(struct proc *p, void *v, register_t *retval)
 		return (ESPIPE);
 	}
 
-	FREF(fp);
-
 	offset = SCARG(uap, offset);
+	if (offset < 0 && vp->v_type != VCHR)
+		return (EINVAL);
+
+	FREF(fp);
 
 	/* dofilewritev() will FRELE the descriptor for us */
 	return (dofilewritev(p, fd, fp, SCARG(uap, iovp), SCARG(uap, iovcnt),