While searching a tree we didn't properly check number of items we really
stored in user's buffer thus possibly exceeding number of items requested
by user. This was mostly harmless since actual buffer overflow is checked
correctly in a different place. Anyway, let's fix the check.

Signed-off-by: Jan Kara <j...@suse.cz>
---
 fs/btrfs/ioctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 9254b3d..94e7ab5 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -977,7 +977,7 @@ static noinline int copy_to_sk(struct btrfs_root *root,
                }
                found++;
 
-               if (*num_found >= sk->nr_items)
+               if (*num_found + found >= sk->nr_items)
                        break;
        }
 advance_key:
-- 
1.6.4.2

--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to