make prepend_name() work correctly when called with negative *buflen

commit e825196d upstream. In all callchains leading to prepend_name(), the value left in *buflen is eventually discarded unused if prepend_name() has returned a negative. So we are free to do what prepend() does, and subtract from *buflen *before* checking for underflow (which turns into checking the sign of subtraction result, of course). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jiri Slaby <jslaby@suse.cz>

make prepend_name() work correctly when called with negative *buflen
commit e825196d upstream. In all callchains leading to prepend_name(), the value left in *buflen is eventually discarded unused if prepend_name() has returned a negative. So we are free to do what prepend() does, and subtract from *buflen *before* checking for underflow (which turns into checking the sign of subtraction result, of course). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
a41fd753 · Al Viro · Jiri Slaby · 2c611dc0 · a41fd753
Commit a41fd753 authored Mar 23, 2014 by Al Viro Committed by Jiri Slaby Apr 03, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

fs/dcache.c fs/dcache.c +2 -2

No files found.
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2846,9 +2846,9 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name)
 	u32 dlen = ACCESS_ONCE(name->len);
 	char *p;

-	if (*buflen < dlen + 1)
-		return -ENAMETOOLONG;
 	*buflen -= dlen + 1;
+	if (*buflen < 0)
+		return -ENAMETOOLONG;
 	p = *buffer -= dlen + 1;
 	*p++ = '/';
 	while (dlen--) {