Re: [PATCH] fs: fix d_path() with zero-length input buffer

From: Oleg Nesterov
Date: Wed Feb 05 2014 - 12:42:52 EST


On 02/05, Denys Vlasenko wrote:
>
> In prepend_name(), *buflen < dlen + 1 comparison is buggy
> because dlen has unsigned data type, and we can reach this location
> with *buflen == -1.

because, say, path_with_deleted() doesn't check the result of
prepend(), and prepend() updates *buflen unconditionally. I am
wondering if it should be changed too just for consistency.

> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -2833,7 +2833,7 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name)
> u32 dlen = ACCESS_ONCE(name->len);
> char *p;
>
> - if (*buflen < dlen + 1)
> + if (*buflen < (int)dlen + 1)

perhaps it would be better to simply make dlen "int" ?

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/