Commit da574983 authored by Al Viro's avatar Al Viro

[PATCH] fix hpux_getdents()

Missing checks for -EFAULT, broken handling of overflow.
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 645e68ed
...@@ -84,22 +84,28 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset, ...@@ -84,22 +84,28 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
if (reclen > buf->count) if (reclen > buf->count)
return -EINVAL; return -EINVAL;
d_ino = ino; d_ino = ino;
if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
buf->error = -EOVERFLOW;
return -EOVERFLOW; return -EOVERFLOW;
}
dirent = buf->previous; dirent = buf->previous;
if (dirent) if (dirent)
put_user(offset, &dirent->d_off); if (put_user(offset, &dirent->d_off))
goto Efault;
dirent = buf->current_dir; dirent = buf->current_dir;
if (put_user(d_ino, &dirent->d_ino) ||
put_user(reclen, &dirent->d_reclen) ||
put_user(namlen, &dirent->d_namlen) ||
copy_to_user(dirent->d_name, name, namlen) ||
put_user(0, dirent->d_name + namlen))
goto Efault;
buf->previous = dirent; buf->previous = dirent;
put_user(d_ino, &dirent->d_ino); buf->current_dir = (void __user *)dirent + reclen;
put_user(reclen, &dirent->d_reclen);
put_user(namlen, &dirent->d_namlen);
copy_to_user(dirent->d_name, name, namlen);
put_user(0, dirent->d_name + namlen);
dirent = (void __user *)dirent + reclen;
buf->current_dir = dirent;
buf->count -= reclen; buf->count -= reclen;
return 0; return 0;
Efault:
buffer->error = -EFAULT;
return -EFAULT;
} }
#undef NAME_OFFSET #undef NAME_OFFSET
...@@ -126,8 +132,10 @@ int hpux_getdents(unsigned int fd, struct hpux_dirent __user *dirent, unsigned i ...@@ -126,8 +132,10 @@ int hpux_getdents(unsigned int fd, struct hpux_dirent __user *dirent, unsigned i
error = buf.error; error = buf.error;
lastdirent = buf.previous; lastdirent = buf.previous;
if (lastdirent) { if (lastdirent) {
put_user(file->f_pos, &lastdirent->d_off); if (put_user(file->f_pos, &lastdirent->d_off))
error = count - buf.count; error = -EFAULT;
else
error = count - buf.count;
} }
out_putf: out_putf:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment