sunrpc/cache: fix off-by-one in qword_get()

[pandora-kernel.git] / net / sunrpc / cache.c

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 72ad836..51b23bc 100644 (file)
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -828,6 +828,8 @@ static ssize_t cache_do_downcall(char *kaddr, const char __user *buf,
 {
        ssize_t ret;
 
+       if (count == 0)
+               return -EINVAL;
        if (copy_from_user(kaddr, buf, count))
                return -EFAULT;
        kaddr[count] = '\0';
@@ -907,7 +909,7 @@ static unsigned int cache_poll(struct file *filp, poll_table *wait,
        poll_wait(filp, &queue_wait, wait);
 
        /* alway allow write */
-       mask = POLL_OUT | POLLWRNORM;
+       mask = POLLOUT | POLLWRNORM;
 
        if (!rp)
                return mask;
@@ -1209,7 +1211,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
        if (bp[0] == '\\' && bp[1] == 'x') {
                /* HEX STRING */
                bp += 2;
-               while (len < bufsize) {
+               while (len < bufsize - 1) {
                        int h, l;
 
                        h = hex_to_bin(bp[0]);
@@ -1402,11 +1404,11 @@ static ssize_t read_flush(struct file *file, char __user *buf,
                          size_t count, loff_t *ppos,
                          struct cache_detail *cd)
 {
-       char tbuf[20];
+       char tbuf[22];
        unsigned long p = *ppos;
        size_t len;
 
-       sprintf(tbuf, "%lu\n", convert_to_wallclock(cd->flush_time));
+       snprintf(tbuf, sizeof(tbuf), "%lu\n", convert_to_wallclock(cd->flush_time));
        len = strlen(tbuf);
        if (p >= len)
                return 0;