• Zach Brown's avatar
    fuse: verify all ioctl retry iov elements · fb6ccff6
    Zach Brown authored
    Commit 7572777e
     attempted to verify that
    the total iovec from the client doesn't overflow iov_length() but it
    only checked the first element.  The iovec could still overflow by
    starting with a small element.  The obvious fix is to check all the
    The overflow case doesn't look dangerous to the kernel as the copy is
    limited by the length after the overflow.  This fix restores the
    intention of returning an error instead of successfully copying less
    than the iovec represented.
    I found this by code inspection.  I built it but don't have a test case.
    I'm cc:ing stable because the initial commit did as well.
    Signed-off-by: default avatarZach Brown <zab@redhat.com>
    Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
    CC: <stable@vger.kernel.org>         [2.6.37+]