diff options
author | Jason Baron <jbaron@redhat.com> | 2008-10-15 22:01:52 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-10-16 11:21:32 -0700 |
commit | 362e6663ef2369d77251496d865ad02a2376f962 (patch) | |
tree | 48155cf15d85a303623a3f672f719652b0585178 /net/sunrpc/auth.c | |
parent | 9679e4dd628743b9ef4375d60ae69923c3766173 (diff) |
exec.c, compat.c: fix count(), compat_count() bounds checking
With MAX_ARG_STRINGS set to 0x7FFFFFFF, and being passed to 'count()' and
compat_count(), it would appear that the current max bounds check of
fs/exec.c:394:
if(++i > max)
return -E2BIG;
would never trigger. Since 'i' is of type int, so values would wrap and the
function would continue looping.
Simple fix seems to be chaning ++i to i++ and checking for '>='.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Ollie Wild" <aaw@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'net/sunrpc/auth.c')
0 files changed, 0 insertions, 0 deletions