diff options
author | Jason Baron <jbaron@redhat.com> | 2008-10-16 01:01:52 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-10-16 14:21:32 -0400 |
commit | 362e6663ef2369d77251496d865ad02a2376f962 (patch) | |
tree | 48155cf15d85a303623a3f672f719652b0585178 | |
parent | 9679e4dd628743b9ef4375d60ae69923c3766173 (diff) |
exec.c, compat.c: fix count(), compat_count() bounds checking
With MAX_ARG_STRINGS set to 0x7FFFFFFF, and being passed to 'count()' and
compat_count(), it would appear that the current max bounds check of
fs/exec.c:394:
if(++i > max)
return -E2BIG;
would never trigger. Since 'i' is of type int, so values would wrap and the
function would continue looping.
Simple fix seems to be chaning ++i to i++ and checking for '>='.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Ollie Wild" <aaw@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | fs/compat.c | 2 | ||||
-rw-r--r-- | fs/exec.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/fs/compat.c b/fs/compat.c index 075d0509970d..aae13d31612f 100644 --- a/fs/compat.c +++ b/fs/compat.c | |||
@@ -1239,7 +1239,7 @@ static int compat_count(compat_uptr_t __user *argv, int max) | |||
1239 | if (!p) | 1239 | if (!p) |
1240 | break; | 1240 | break; |
1241 | argv++; | 1241 | argv++; |
1242 | if(++i > max) | 1242 | if (i++ >= max) |
1243 | return -E2BIG; | 1243 | return -E2BIG; |
1244 | } | 1244 | } |
1245 | } | 1245 | } |
@@ -391,7 +391,7 @@ static int count(char __user * __user * argv, int max) | |||
391 | if (!p) | 391 | if (!p) |
392 | break; | 392 | break; |
393 | argv++; | 393 | argv++; |
394 | if(++i > max) | 394 | if (i++ >= max) |
395 | return -E2BIG; | 395 | return -E2BIG; |
396 | cond_resched(); | 396 | cond_resched(); |
397 | } | 397 | } |