From 3186db059ba97cfbb781820b73e7e9a8d2057d86 Mon Sep 17 00:00:00 2001
From: equinox <equinox@2edecd69-f0ce-4815-94af-351a89d40aaa>
Date: Sun, 11 May 2008 22:57:21 +0000
Subject: [PATCH] same security fix for bsd device

git-svn-id: https://anytun.org/svn/anytun@527 2edecd69-f0ce-4815-94af-351a89d40aaa
---
 src/bsd/tunDevice.cpp | 11 +++++++++--
 src/bsd/tunDevice.h   |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/bsd/tunDevice.cpp b/src/bsd/tunDevice.cpp
index 47558de..5ad6ea7 100644
--- a/src/bsd/tunDevice.cpp
+++ b/src/bsd/tunDevice.cpp
@@ -165,6 +165,13 @@ void TunDevice::init_post()
  #error Target not supported
 #endif
 
+int TunDevice::fix_return(int ret, size_t type_length)
+{
+  if(ret < 0)
+    return ret;
+
+  return (static_cast<size_t>(ret) > type_length ? (ret - type_length) : 0);
+}
 
 short TunDevice::read(u_int8_t* buf, u_int32_t len)
 {
@@ -179,7 +186,7 @@ short TunDevice::read(u_int8_t* buf, u_int32_t len)
     iov[0].iov_len = sizeof(type);
     iov[1].iov_base = buf;
     iov[1].iov_len = len;
-    return(::readv(fd_, iov, 2) - sizeof(type));
+    return(fix_return(::readv(fd_, iov, 2), sizeof(type)));
   }
   else
     return(::read(fd_, buf, len));
@@ -205,7 +212,7 @@ int TunDevice::write(u_int8_t* buf, u_int32_t len)
     iov[0].iov_len = sizeof(type);
     iov[1].iov_base = buf;
     iov[1].iov_len = len;
-    return(::writev(fd_, iov, 2) - sizeof(type));
+    return(fix_return(::writev(fd_, iov, 2), sizeof(type)));
   }
   else
     return(::write(fd_, buf, len));
diff --git a/src/bsd/tunDevice.h b/src/bsd/tunDevice.h
index 16408a2..8641d2c 100644
--- a/src/bsd/tunDevice.h
+++ b/src/bsd/tunDevice.h
@@ -54,6 +54,7 @@ private:
 
   void init_post();
   void do_ifconfig();
+  int fix_return(int ret, size_t type_length);
 
   int fd_;
   DeviceConfig conf_;
-- 
2.11.4.GIT