| From e825196d48d2b89a6ec3a8eff280098d2a78207e Mon Sep 17 00:00:00 2001 |
| From: Al Viro <viro@zeniv.linux.org.uk> |
| Date: Sun, 23 Mar 2014 00:28:40 -0400 |
| Subject: make prepend_name() work correctly when called with negative *buflen |
| |
| From: Al Viro <viro@zeniv.linux.org.uk> |
| |
| commit e825196d48d2b89a6ec3a8eff280098d2a78207e upstream. |
| |
| In all callchains leading to prepend_name(), the value left in *buflen |
| is eventually discarded unused if prepend_name() has returned a negative. |
| So we are free to do what prepend() does, and subtract from *buflen |
| *before* checking for underflow (which turns into checking the sign |
| of subtraction result, of course). |
| |
| Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/dcache.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/fs/dcache.c |
| +++ b/fs/dcache.c |
| @@ -2833,9 +2833,9 @@ static int prepend_name(char **buffer, i |
| u32 dlen = ACCESS_ONCE(name->len); |
| char *p; |
| |
| - if (*buflen < dlen + 1) |
| - return -ENAMETOOLONG; |
| *buflen -= dlen + 1; |
| + if (*buflen < 0) |
| + return -ENAMETOOLONG; |
| p = *buffer -= dlen + 1; |
| *p++ = '/'; |
| while (dlen--) { |
