[PATCH] ide-cd: unsigned len subtracted below 0?

[PATCH] ide-cd: unsigned len subtracted below 0?

[Roel Kluin]

len is unsigned, so take care not to subtract below 0.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
index ddfbea4..23447a0 100644
--- a/drivers/ide/ide-cd.c
+++ b/drivers/ide/ide-cd.c
@@ -916,7 +916,10 @@ static ide_startstop_t cdrom_newpc_intr(ide_drive_t *drive)
 		xferfunc(drive, NULL, ptr, blen);
 
 		thislen -= blen;
-		len -= blen;
+		if (blen > len)
+			len -= blen;
+		else
+			len = 0;
 
 		if (blk_fs_request(rq)) {
 			rq->buffer += blen;

Re: [PATCH] ide-cd: unsigned len subtracted below 0?

[Borislav Petkov]

On Wed, Mar 04, 2009 at 12:13:46AM +0100, Roel Kluin wrote:
> len is unsigned, so take care not to subtract below 0.
> 
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
> index ddfbea4..23447a0 100644
> --- a/drivers/ide/ide-cd.c
> +++ b/drivers/ide/ide-cd.c
> @@ -916,7 +916,10 @@ static ide_startstop_t cdrom_newpc_intr(ide_drive_t *drive)
>  		xferfunc(drive, NULL, ptr, blen);
>  
>  		thislen -= blen;
> -		len -= blen;
> +		if (blen > len)
> +			len -= blen;
> +		else
> +			len = 0;

Hi,

can you please look at the code and try to understand what it does.
Especially the part where thislen is being initialized:

        thislen = blk_fs_request(rq) ? len : cmd->nleft;
        if (thislen > len)
                thislen = len;

now look at the loop where len is being decremented. Question: can len
really wrap?

>  
>  		if (blk_fs_request(rq)) {
>  			rq->buffer += blen;