From: Kevin Corry <kevcorry@us.ibm.com>

dm-ioctl.c::retrieve_status(): Prevent overrunning the ioctl buffer by making
sure we don't call the target status routine with a buffer size limit of
zero.  [Kevin Corry, Alasdair Kergon]


---

 25-akpm/drivers/md/dm-ioctl.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletion(-)

diff -puN drivers/md/dm-ioctl.c~dm-retrieve_status-prevent-overrunning-the-ioctl-buffer drivers/md/dm-ioctl.c
--- 25/drivers/md/dm-ioctl.c~dm-retrieve_status-prevent-overrunning-the-ioctl-buffer	Mon Apr 12 13:48:55 2004
+++ 25-akpm/drivers/md/dm-ioctl.c	Mon Apr 12 13:48:55 2004
@@ -789,7 +789,7 @@ static void retrieve_status(struct dm_ta
 		struct dm_target *ti = dm_table_get_target(table, i);
 
 		remaining = len - (outptr - outbuf);
-		if (remaining < sizeof(struct dm_target_spec)) {
+		if (remaining <= sizeof(struct dm_target_spec)) {
 			param->flags |= DM_BUFFER_FULL_FLAG;
 			break;
 		}
@@ -804,6 +804,10 @@ static void retrieve_status(struct dm_ta
 
 		outptr += sizeof(struct dm_target_spec);
 		remaining = len - (outptr - outbuf);
+		if (remaining <= 0) {
+			param->flags |= DM_BUFFER_FULL_FLAG;
+			break;
+		}
 
 		/* Get the status/table string from the target driver */
 		if (ti->type->status) {

_