exec.c, compat.c: fix count(), compat_count() bounds checking
authorJason Baron <jbaron@redhat.com>
Thu, 16 Oct 2008 05:01:52 +0000 (22:01 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Thu, 16 Oct 2008 18:21:32 +0000 (11:21 -0700)
With MAX_ARG_STRINGS set to 0x7FFFFFFF, and being passed to 'count()' and
compat_count(), it would appear that the current max bounds check of
fs/exec.c:394:

if(++i > max)
return -E2BIG;

would never trigger. Since 'i' is of type int, so values would wrap and the
function would continue looping.

Simple fix seems to be chaning ++i to i++ and checking for '>='.

Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Ollie Wild" <aaw@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/compat.c
fs/exec.c

index 075d0509970de479c78e796cb4ce11d94945fbb5..aae13d31612f04208e6fdb2f23a9189baf0f6b72 100644 (file)
@@ -1239,7 +1239,7 @@ static int compat_count(compat_uptr_t __user *argv, int max)
                        if (!p)
                                break;
                        argv++;
-                       if(++i > max)
+                       if (i++ >= max)
                                return -E2BIG;
                }
        }
index cecee501ce78805c32c9d007c658fce1e87b0a97..7b5ed50eadeb95daf8c4617c9372ceb5f2878245 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -391,7 +391,7 @@ static int count(char __user * __user * argv, int max)
                        if (!p)
                                break;
                        argv++;
-                       if(++i > max)
+                       if (i++ >= max)
                                return -E2BIG;
                        cond_resched();
                }