Commit 01b2969a authored by Chuck Lever's avatar Chuck Lever Committed by J. Bruce Fields

SUNRPC: Prevent length underflow in read_flush()

Make sure we compare an unsigned length to an unsigned count in
read_flush().
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
parent d4395e03
...@@ -1244,18 +1244,18 @@ static ssize_t read_flush(struct file *file, char __user *buf, ...@@ -1244,18 +1244,18 @@ static ssize_t read_flush(struct file *file, char __user *buf,
struct cache_detail *cd = PDE(file->f_path.dentry->d_inode)->data; struct cache_detail *cd = PDE(file->f_path.dentry->d_inode)->data;
char tbuf[20]; char tbuf[20];
unsigned long p = *ppos; unsigned long p = *ppos;
int len; size_t len;
sprintf(tbuf, "%lu\n", cd->flush_time); sprintf(tbuf, "%lu\n", cd->flush_time);
len = strlen(tbuf); len = strlen(tbuf);
if (p >= len) if (p >= len)
return 0; return 0;
len -= p; len -= p;
if (len > count) len = count; if (len > count)
len = count;
if (copy_to_user(buf, (void*)(tbuf+p), len)) if (copy_to_user(buf, (void*)(tbuf+p), len))
len = -EFAULT; return -EFAULT;
else *ppos += len;
*ppos += len;
return len; return len;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment