Index: i386/isa/vesa.c
===================================================================
RCS file: /home/ncvs/src/sys/i386/isa/vesa.c,v
retrieving revision 1.32
diff -u -r1.32 vesa.c
--- i386/isa/vesa.c	29 Jan 2000 15:08:40 -0000	1.32
+++ i386/isa/vesa.c	13 Aug 2002 02:19:13 -0000
@@ -1317,7 +1317,9 @@
 	int bits;
 	int error;
 
-	if ((base < 0) || (base >= 256) || (base + count > 256))
+	if ((base < 0) || (base >= 256) || (count < 0) || (count > 256))
+		return 1;
+	if (base + count > 256)
 		return 1;
 	if (!(vesa_adp_info->v_flags & V_DAC8) || !VESA_MODE(adp->va_mode))
 		return 1;
Index: kern/uipc_syscalls.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/uipc_syscalls.c,v
retrieving revision 1.65.2.11
diff -u -r1.65.2.11 uipc_syscalls.c
--- kern/uipc_syscalls.c	12 Jul 2002 08:22:46 -0000	1.65.2.11
+++ kern/uipc_syscalls.c	13 Aug 2002 02:19:15 -0000
@@ -208,6 +208,8 @@
 			sizeof (namelen));
 		if(error)
 			return (error);
+		if (namelen < 0)
+			return (EINVAL);
 	}
 	error = holdsock(fdp, uap->s, &lfp);
 	if (error)
@@ -1195,6 +1197,10 @@
 		fdrop(fp, p);
 		return (error);
 	}
+	if (len < 0) {
+		fdrop(fp, p);
+		return (EINVAL);
+	}
 	so = (struct socket *)fp->f_data;
 	sa = 0;
 	error = (*so->so_proto->pr_usrreqs->pru_sockaddr)(so, &sa);
@@ -1273,6 +1279,10 @@
 	if (error) {
 		fdrop(fp, p);
 		return (error);
+	}
+	if (len < 0) {
+		fdrop(fp, p);
+		return (EINVAL);
 	}
 	sa = 0;
 	error = (*so->so_proto->pr_usrreqs->pru_peeraddr)(so, &sa);