make prepend_name() work correctly when called with negative *buflen
In all callchains leading to prepend_name(), the value left in *buflen is eventually discarded unused if prepend_name() has returned a negative. So we are free to do what prepend() does, and subtract from *buflen *before* checking for underflow (which turns into checking the sign of subtraction result, of course). Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
99aea68134
commit
e825196d48
1 changed files with 2 additions and 2 deletions
|
@ -2833,9 +2833,9 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name)
|
||||||
u32 dlen = ACCESS_ONCE(name->len);
|
u32 dlen = ACCESS_ONCE(name->len);
|
||||||
char *p;
|
char *p;
|
||||||
|
|
||||||
if (*buflen < dlen + 1)
|
|
||||||
return -ENAMETOOLONG;
|
|
||||||
*buflen -= dlen + 1;
|
*buflen -= dlen + 1;
|
||||||
|
if (*buflen < 0)
|
||||||
|
return -ENAMETOOLONG;
|
||||||
p = *buffer -= dlen + 1;
|
p = *buffer -= dlen + 1;
|
||||||
*p++ = '/';
|
*p++ = '/';
|
||||||
while (dlen--) {
|
while (dlen--) {
|
||||||
|
|
Loading…
Reference in a new issue