summaryrefslogtreecommitdiffstats
path: root/fs/sysfs/file.c
diff options
context:
space:
mode:
authorMiao Xie <miaox@cn.fujitsu.com>2007-11-21 23:55:19 +0100
committerGreg Kroah-Hartman <gregkh@suse.de>2007-11-28 22:53:53 +0100
commit8118a859dc7abd873193986c77a8d9bdb877adc8 (patch)
tree6b66719637ba2b4174c126cb751a090de0536269 /fs/sysfs/file.c
parentkobject: two typo fixes (diff)
downloadlinux-8118a859dc7abd873193986c77a8d9bdb877adc8.tar.xz
linux-8118a859dc7abd873193986c77a8d9bdb877adc8.zip
sysfs: fix off-by-one error in fill_read_buffer()
I found that there is a off-by-one problem in the following code. Version: 2.6.24-rc2 File: fs/sysfs/file.c:118-122 Function: fill_read_buffer -------------------------------------------------------------------- count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page); sysfs_put_active_two(attr_sd); BUG_ON(count > (ssize_t)PAGE_SIZE); -------------------------------------------------------------------- Because according to the specification of the sysfs and the implement of the show methods, the show methods return the number of bytes which would be generated for the given input, excluding the trailing null.So if the return value of the show methods equals PAGE_SIZE - 1, the buffer is full in fact. And if the return value equals PAGE_SIZE, the resulting string was already truncated,or buffer overflow occurred. This patch fixes an off-by-one error in fill_read_buffer. Signed-off-by: Miao Xie <miaox@cn.fujitsu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Tejun Heo <teheo@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'fs/sysfs/file.c')
-rw-r--r--fs/sysfs/file.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
index 27d1785b7644..4045bdcc4b33 100644
--- a/fs/sysfs/file.c
+++ b/fs/sysfs/file.c
@@ -119,7 +119,11 @@ static int fill_read_buffer(struct dentry * dentry, struct sysfs_buffer * buffer
sysfs_put_active_two(attr_sd);
- BUG_ON(count > (ssize_t)PAGE_SIZE);
+ /*
+ * The code works fine with PAGE_SIZE return but it's likely to
+ * indicate truncated result or overflow in normal use cases.
+ */
+ BUG_ON(count >= (ssize_t)PAGE_SIZE);
if (count >= 0) {
buffer->needs_read_fill = 0;
buffer->count = count;