Commit e825196d authored Mar 23, 2014 by Al Viro

make prepend_name() work correctly when called with negative *buflen



In all callchains leading to prepend_name(), the value left in *buflen
is eventually discarded unused if prepend_name() has returned a negative.
So we are free to do what prepend() does, and subtract from *buflen
*before* checking for underflow (which turns into checking the sign
of subtraction result, of course).

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent 99aea681

fs/dcache.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2833,9 +2833,9 @@ static int prepend_name(char *buffer, int buflen, struct qstr *name)
		u32 dlen = ACCESS_ONCE(name->len);
		char *p;

		if (*buflen < dlen + 1)
		return -ENAMETOOLONG;
		*buflen -= dlen + 1;
		if (*buflen < 0)
		return -ENAMETOOLONG;
		p = *buffer -= dlen + 1;
		*p++ = '/';
		while (dlen--) {