[PATCH] dm: avoid ioctl buffer overrun

From: Kevin Corry <kevcorry@us.ibm.com> dm-ioctl.c::retrieve_status(): Prevent overrunning the ioctl buffer by making sure we don't call the target status routine with a buffer size limit of zero. [Kevin Corry, Alasdair Kergon]

[PATCH] dm: avoid ioctl buffer overrun
From: Kevin Corry <kevcorry@us.ibm.com> dm-ioctl.c::retrieve_status(): Prevent overrunning the ioctl buffer by making sure we don't call the target status routine with a buffer size limit of zero. [Kevin Corry, Alasdair Kergon]
702a8edf · Andrew Morton · Linus Torvalds · e79ed99a · 702a8edf
Commit 702a8edf authored Apr 17, 2004 by Andrew Morton Committed by Linus Torvalds Apr 17, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

drivers/md/dm-ioctl.c drivers/md/dm-ioctl.c +5 -1

No files found.
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -800,7 +800,7 @@ static void retrieve_status(struct dm_table *table,
 		struct dm_target *ti = dm_table_get_target(table, i);

 		remaining = len - (outptr - outbuf);
-		if (remaining < sizeof(struct dm_target_spec)) {
+		if (remaining <= sizeof(struct dm_target_spec)) {
 			param->flags |= DM_BUFFER_FULL_FLAG;
 			break;
 		}
@@ -815,6 +815,10 @@ static void retrieve_status(struct dm_table *table,

 		outptr += sizeof(struct dm_target_spec);
 		remaining = len - (outptr - outbuf);
+		if (remaining <= 0) {
+			param->flags |= DM_BUFFER_FULL_FLAG;
+			break;
+		}

 		/* Get the status/table string from the target driver */
 		if (ti->type->status) {