Skip to content

Commit

Permalink
make prepend_name() work correctly when called with negative *buflen
Browse files Browse the repository at this point in the history 
In all callchains leading to prepend_name(), the value left in *buflen
is eventually discarded unused if prepend_name() has returned a negative.
So we are free to do what prepend() does, and subtract from *buflen
*before* checking for underflow (which turns into checking the sign
of subtraction result, of course).

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
  • Loading branch information
Al Viro committed Mar 23, 2014
1 parent 99aea68 commit e825196
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions fs/dcache.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2833,9 +2833,9 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name)
u32 dlen = ACCESS_ONCE(name->len);
char *p;

if (*buflen < dlen + 1)
return -ENAMETOOLONG;
*buflen -= dlen + 1;
if (*buflen < 0)
return -ENAMETOOLONG;
p = *buffer -= dlen + 1;
*p++ = '/';
while (dlen--) {
Expand Down

0 comments on commit e825196

Please sign in to comment.