[PATCH] readv/writev range checking fix

do-readv_writev() is trying to fail if a) any of the segments have a length < 0 or b) the sum of the segments wraps negative. But it gets b) wrong because local variable tot_len is unsigned. Fix that up.

[PATCH] readv/writev range checking fix
do-readv_writev() is trying to fail if a) any of the segments have a length < 0 or b) the sum of the segments wraps negative. But it gets b) wrong because local variable tot_len is unsigned. Fix that up.
fb14ef35 · Andrew Morton · Linus Torvalds · b1ee3fea · fb14ef35
Commit fb14ef35 authored Apr 11, 2004 by Andrew Morton Committed by Linus Torvalds Apr 11, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

fs/read_write.c fs/read_write.c +3 -3

No files found.
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -412,13 +412,13 @@ static ssize_t do_readv_writev(int type, struct file *file,
 	 */
 	tot_len = 0;
 	ret = -EINVAL;
-	for (seg = 0 ; seg < nr_segs; seg++) {
+	for (seg = 0; seg < nr_segs; seg++) {
-		ssize_t tmp = tot_len;
 		ssize_t len = (ssize_t)iov[seg].iov_len;
 		if (len < 0)	/* size_t not fitting an ssize_t .. */
 			goto out;
 		tot_len += len;
-		if (tot_len < tmp) /* maths overflow on the ssize_t */
+		if ((ssize_t)tot_len < 0) /* maths overflow on the ssize_t */
 			goto out;
 	}
 	if (tot_len == 0) {