Index: sys/fs/nandfs/nandfs_dat.c =================================================================== --- sys/fs/nandfs/nandfs_dat.c +++ sys/fs/nandfs/nandfs_dat.c @@ -298,6 +298,9 @@ size_t size; int error; + if (nargv->nv_nmembs >= SIZE_MAX / sizeof(struct nandfs_bdesc)) + return (EINVAL); + size = nargv->nv_nmembs * sizeof(struct nandfs_bdesc); bd = malloc(size, M_NANDFSTEMP, M_WAITOK); error = copyin((void *)(uintptr_t)nargv->nv_base, bd, size);