From mboxrd@z Thu Jan  1 00:00:00 1970
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: Re: [PATCH] linux-2.6.18/xenbus: fix overflow check in
 xenbus_dev_write()
Date: Wed, 17 Oct 2012 12:26:18 -0400
Message-ID: <20121017162617.GA32178@phenom.dumpdata.com>
References: <507D6CCC02000078000A1B07@nat28.tlf.novell.com>
	<1350392403.18058.116.camel@zakaz.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Content-Disposition: inline
In-Reply-To: <1350392403.18058.116.camel@zakaz.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: Jan Beulich <JBeulich@suse.com>, xen-devel <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

On Tue, Oct 16, 2012 at 02:00:03PM +0100, Ian Campbell wrote:
> On Tue, 2012-10-16 at 13:18 +0100, Jan Beulich wrote:
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> Acked-by: Ian Campbell <ian.campbell@citrix.com>
> 
> CC-ing Konrad since I think that modulo tweaking the path this ought to
> apply as is to upstream kernels.
> 
> > 
> > --- a/drivers/xen/xenbus/xenbus_dev.c
> > +++ b/drivers/xen/xenbus/xenbus_dev.c
> > @@ -239,7 +239,7 @@ static ssize_t xenbus_dev_write(struct f
> >  	if (!is_xenstored_ready())
> >  		return -ENODEV;
> >  
> > -	if ((len + u->len) > sizeof(u->u.buffer)) {
> > +	if (len > sizeof(u->u.buffer) - u->len) {
> >  		rc = -EINVAL;
> >  		goto out;
> >  	}
> > 
> > 
> > 

Like this:

diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 89f7625..ac72702 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -458,7 +458,7 @@ static ssize_t xenbus_file_write(struct file *filp,
 		goto out;
 
 	/* Can't write a xenbus message larger we can buffer */
-	if ((len + u->len) > sizeof(u->u.buffer)) {
+	if (len > sizeof(u->u.buffer) - u->len) {
 		/* On error, dump existing buffer */
 		u->len = 0;
 		rc = -EINVAL;