make prepend_name() work correctly when called with negative *buflen

commit e825196d48d2b89a6ec3a8eff280098d2a78207e upstream. In all callchains leading to prepend_name(), the value left in *buflen is eventually discarded unused if prepend_name() has returned a negative. So we are free to do what prepend() does, and subtract from *buflen *before* checking for underflow (which turns into checking the sign of subtraction result, of course). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Al Viro <viro@zeniv.linux.org.uk> 2014-03-23 00:28:40 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-04-03 12:02:36 -0700
commit: fa82051f97c1e81e44ae1517a4303db6ceba1e2b (patch)
tree: 7577b51903b553991dba123d3d21f21e0bf90338 /fs
parent: abfabd98494dcba8cefe726a28c006be87b34d0c (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/dcache.c b/fs/dcache.c
index fdbe2302781..f7ad6d71b1c 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2833,9 +2833,9 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name)
 	u32 dlen = ACCESS_ONCE(name->len);
 	char *p;
 
-	if (*buflen < dlen + 1)
-		return -ENAMETOOLONG;
 	*buflen -= dlen + 1;
+	if (*buflen < 0)
+		return -ENAMETOOLONG;
 	p = *buffer -= dlen + 1;
 	*p++ = '/';
 	while (dlen--) {
author	Al Viro <viro@zeniv.linux.org.uk>	2014-03-23 00:28:40 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-04-03 12:02:36 -0700
commit	fa82051f97c1e81e44ae1517a4303db6ceba1e2b (patch)
tree	7577b51903b553991dba123d3d21f21e0bf90338 /fs
parent	abfabd98494dcba8cefe726a28c006be87b34d0c (diff)