Applologies if this is already pending, but the signdness fix for
copy_from_read_buf() in 2.6 seems to be needed for 2.4 as well.
This relates to the bugs reported in this document
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
--
Horms
Backport of copy_from_read_buf() signedness fix from 2.6
Signed-off-by: Simon Horman <[email protected]>
===== drivers/char/n_tty.c 1.7 vs edited =====
--- 1.7/drivers/char/n_tty.c 2004-12-16 22:57:23 +09:00
+++ edited/drivers/char/n_tty.c 2005-03-23 13:08:37 +09:00
@@ -1095,7 +1095,7 @@
{
int retval;
- ssize_t n;
+ size_t n;
unsigned long flags;
retval = 0;
Hi Horms,
On Wed, Mar 23, 2005 at 04:49:35PM +0900, Horms wrote:
> Applologies if this is already pending, but the signdness fix for
> copy_from_read_buf() in 2.6 seems to be needed for 2.4 as well.
>
> This relates to the bugs reported in this document
> http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
v2.4 does not suffer from the issue mentioned by Guninski because
the first argument of the arithmetic comparison is not casted
to a "signed" value:
n = min((ssize_t)*nr, n);
That was the problem in v2.6, where an unsigned value bigger than 2^31
would be treated as a negative signed.
Thanks anyway for pinging me, highly appreciated.
> --
> Horms
>
> Backport of copy_from_read_buf() signedness fix from 2.6
>
> Signed-off-by: Simon Horman <[email protected]>
>
> ===== drivers/char/n_tty.c 1.7 vs edited =====
> --- 1.7/drivers/char/n_tty.c 2004-12-16 22:57:23 +09:00
> +++ edited/drivers/char/n_tty.c 2005-03-23 13:08:37 +09:00
> @@ -1095,7 +1095,7 @@
>
> {
> int retval;
> - ssize_t n;
> + size_t n;
> unsigned long flags;
>
> retval = 0;