SUNRPC: Prevent length underflow in read_flush()
authorChuck Lever <chuck.lever@oracle.com>
Fri, 26 Oct 2007 17:31:20 +0000 (13:31 -0400)
committerJ. Bruce Fields <bfields@citi.umich.edu>
Fri, 1 Feb 2008 21:42:02 +0000 (16:42 -0500)
Make sure we compare an unsigned length to an unsigned count in
read_flush().

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
net/sunrpc/cache.c

index 73f053d0cc7a4f7eee6d65954f5383cb6d6fa18e..d27bbe0ee90715ecadd2f2c4a7b16cff59ebfe87 100644 (file)
@@ -1244,18 +1244,18 @@ static ssize_t read_flush(struct file *file, char __user *buf,
        struct cache_detail *cd = PDE(file->f_path.dentry->d_inode)->data;
        char tbuf[20];
        unsigned long p = *ppos;
-       int len;
+       size_t len;
 
        sprintf(tbuf, "%lu\n", cd->flush_time);
        len = strlen(tbuf);
        if (p >= len)
                return 0;
        len -= p;
-       if (len > count) len = count;
+       if (len > count)
+               len = count;
        if (copy_to_user(buf, (void*)(tbuf+p), len))
-               len = -EFAULT;
-       else
-               *ppos += len;
+               return -EFAULT;
+       *ppos += len;
        return len;
 }