From f4ead4c17fd6e680975bbc071138fa829b7f6745 Mon Sep 17 00:00:00 2001
From: hunt <hunt>
Date: Wed, 18 May 2005 05:37:14 +0000
Subject: 2005-05-17  Martin Hunt  <hunt@redhat.com>

	* relay.c (relay_switch_subbuf): Applied patch
	[PATCH 2.6.12-rc1-mm2] relayfs: properly handle oversized events
---
 runtime/relayfs/relay.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'runtime/relayfs/relay.c')

diff --git a/runtime/relayfs/relay.c b/runtime/relayfs/relay.c
index 35a5f31d..5998db80 100644
--- a/runtime/relayfs/relay.c
+++ b/runtime/relayfs/relay.c
@@ -378,7 +378,10 @@ unsigned relay_switch_subbuf(struct rchan_buf *buf, unsigned length)
 	int new, old, produced = atomic_read(&buf->subbufs_produced);
 	unsigned padding;
 
-	if (atomic_read(&buf->unfull)) {
+	if (unlikely(length > buf->chan->subbuf_size))
+	  goto toobig;
+	
+	if (unlikely(atomic_read(&buf->unfull))) {
 		atomic_set(&buf->unfull, 0);
 		new = produced % buf->chan->n_subbufs;
 		old = (produced - 1) % buf->chan->n_subbufs;
@@ -410,7 +413,15 @@ unsigned relay_switch_subbuf(struct rchan_buf *buf, unsigned length)
 	new = (produced + 1) % buf->chan->n_subbufs;
 	do_switch(buf, new, old);
 
+	if (unlikely(length + buf->offset > buf->chan->subbuf_size))
+	  goto toobig;
+
 	return length;
+	
+ toobig:
+	printk(KERN_WARNING "relayfs: event too large (%u)\n", length);
+	WARN_ON(1);
+	return 0;
 }
 
 /**
-- 
cgit