summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiao Xie <miaox@cn.fujitsu.com>2007-11-21 14:55:19 -0800
committerGreg Kroah-Hartman <gregkh@suse.de>2007-11-28 13:53:53 -0800
commit8118a859dc7abd873193986c77a8d9bdb877adc8 (patch)
tree6b66719637ba2b4174c126cb751a090de0536269
parent71409a498e96a421bdc20e7275ebc4fab8b14cdc (diff)
downloadlinux-3.10-8118a859dc7abd873193986c77a8d9bdb877adc8.tar.gz
linux-3.10-8118a859dc7abd873193986c77a8d9bdb877adc8.tar.bz2
linux-3.10-8118a859dc7abd873193986c77a8d9bdb877adc8.zip
sysfs: fix off-by-one error in fill_read_buffer()
I found that there is a off-by-one problem in the following code. Version: 2.6.24-rc2 File: fs/sysfs/file.c:118-122 Function: fill_read_buffer -------------------------------------------------------------------- count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page); sysfs_put_active_two(attr_sd); BUG_ON(count > (ssize_t)PAGE_SIZE); -------------------------------------------------------------------- Because according to the specification of the sysfs and the implement of the show methods, the show methods return the number of bytes which would be generated for the given input, excluding the trailing null.So if the return value of the show methods equals PAGE_SIZE - 1, the buffer is full in fact. And if the return value equals PAGE_SIZE, the resulting string was already truncated,or buffer overflow occurred. This patch fixes an off-by-one error in fill_read_buffer. Signed-off-by: Miao Xie <miaox@cn.fujitsu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Tejun Heo <teheo@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--fs/sysfs/file.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
index 27d1785b764..4045bdcc4b3 100644
--- a/fs/sysfs/file.c
+++ b/fs/sysfs/file.c
@@ -119,7 +119,11 @@ static int fill_read_buffer(struct dentry * dentry, struct sysfs_buffer * buffer
sysfs_put_active_two(attr_sd);
- BUG_ON(count > (ssize_t)PAGE_SIZE);
+ /*
+ * The code works fine with PAGE_SIZE return but it's likely to
+ * indicate truncated result or overflow in normal use cases.
+ */
+ BUG_ON(count >= (ssize_t)PAGE_SIZE);
if (count >= 0) {
buffer->needs_read_fill = 0;
buffer->count = count;