From 18d9a2ca2ea1aa963a077fb49e7efcc3b0237a9b Mon Sep 17 00:00:00 2001 From: Bryan Schumaker Date: Fri, 7 Dec 2012 16:17:29 -0500 Subject: NFSD: Correct the size calculation in fault_inject_write If len == 0 we end up with size = (0 - 1), which could cause bad things to happen in copy_from_user(). Signed-off-by: Bryan Schumaker Signed-off-by: J. Bruce Fields --- fs/nfsd/fault_inject.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfsd/fault_inject.c b/fs/nfsd/fault_inject.c index 7a7b079fbdb1..e761ee95617f 100644 --- a/fs/nfsd/fault_inject.c +++ b/fs/nfsd/fault_inject.c @@ -122,7 +122,7 @@ static ssize_t fault_inject_write(struct file *file, const char __user *buf, size_t len, loff_t *ppos) { char write_buf[INET6_ADDRSTRLEN]; - size_t size = min(sizeof(write_buf), len) - 1; + size_t size = min(sizeof(write_buf) - 1, len); struct net *net = current->nsproxy->net_ns; struct sockaddr_storage sa; u64 val; -- cgit v1.2.3