[PATCH] prevent possible infinite loop in fs/select.c::do_pollfd()

From: Jesper Juhl
Date: Sat Apr 23 2005 - 18:20:44 EST

Next message: Petr Baudis: "Re: Linux 2.6.12-rc3"
Previous message: Petr Baudis: "Re: Linux 2.6.12-rc3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If a sufficiently large 'num' is passed to the function, the for loop
becomes an infinite loop - as far as I can see, that's a bug waiting to
happen. Sure, 'len' in struct poll_list is currently an int, so currently
this can't happen, but that might change in the future. In my oppinion,
a function should be able to function correctly with the complete range
of values that can potentially be passed via its parameters, and without
the patch below that's just not true for this function.

Signed-off-by: Jesper Juhl <juhl-lkml@xxxxxx>

--- linux-2.6.12-rc2-mm3-orig/fs/select.c 2005-04-05 21:21:47.000000000 +0200
+++ linux-2.6.12-rc2-mm3/fs/select.c 2005-04-24 01:11:13.000000000 +0200
@@ -397,7 +397,7 @@ struct poll_list {
static void do_pollfd(unsigned int num, struct pollfd * fdpage,
poll_table ** pwait, int *count)
{
- int i;
+ unsigned int i;

for (i = 0; i < num; i++) {
int fd;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Petr Baudis: "Re: Linux 2.6.12-rc3"
Previous message: Petr Baudis: "Re: Linux 2.6.12-rc3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]