Commit c1a20245 authored by Mika Kukkonen's avatar Mika Kukkonen Committed by Linus Torvalds

[PATCH] int return to unsigned in smb_proc_readdir_long() in fs/smbfs/proc.c

  CC [M]  fs/smbfs/proc.o
fs/smbfs/proc.c: In function `smb_proc_readdir_long':
fs/smbfs/proc.c:2313: warning: comparison of unsigned expression < 0 is always false
fs/smbfs/proc.c:2467: warning: comparison of unsigned expression < 0 is always false

The first one is pretty dangerous looking, as smb_proc_readdir_long() can
return several negative error values and all those are converted to
unsigned and then erronously pass the test on line 2313.  Chris Wright gave
it a quick look and we did not see immediately if this can be remotely
exploited, but it looks pretty scary.

The second warning on line 2467 is just extra so I just removed it.
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 7ad90975
...@@ -2309,16 +2309,14 @@ smb_proc_readdir_long(struct file *filp, void *dirent, filldir_t filldir, ...@@ -2309,16 +2309,14 @@ smb_proc_readdir_long(struct file *filp, void *dirent, filldir_t filldir,
*/ */
mask = param + 12; mask = param + 12;
mask_len = smb_encode_path(server, mask, SMB_MAXPATHLEN+1, dir, &star); result = smb_encode_path(server, mask, SMB_MAXPATHLEN+1, dir, &star);
if (mask_len < 0) { if (result <= 0)
result = mask_len;
goto out_free; goto out_free;
} mask_len = result - 1; /* mask_len is strlen, not #bytes */
mask_len--; /* mask_len is strlen, not #bytes */ result = 0;
first = 1; first = 1;
VERBOSE("starting mask_len=%d, mask=%s\n", mask_len, mask); VERBOSE("starting mask_len=%d, mask=%s\n", mask_len, mask);
result = 0;
entries_seen = 2; entries_seen = 2;
ff_eos = 0; ff_eos = 0;
...@@ -2464,8 +2462,6 @@ smb_proc_readdir_long(struct file *filp, void *dirent, filldir_t filldir, ...@@ -2464,8 +2462,6 @@ smb_proc_readdir_long(struct file *filp, void *dirent, filldir_t filldir,
/* /*
* Update the mask string for the next message. * Update the mask string for the next message.
*/ */
if (mask_len < 0)
mask_len = 0;
if (mask_len > 255) if (mask_len > 255)
mask_len = 255; mask_len = 255;
if (mask_len) if (mask_len)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment