From: Olaf Hering <olh@suse.de>



Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 fs/compat.c |   39 +++++++++++++++++++++++++--------------
 1 files changed, 25 insertions(+), 14 deletions(-)

diff -puN fs/compat.c~compat-fcntl-fixes fs/compat.c
--- 25/fs/compat.c~compat-fcntl-fixes	Tue Oct 18 16:41:28 2005
+++ 25-akpm/fs/compat.c	Tue Oct 18 16:41:28 2005
@@ -496,17 +496,22 @@ asmlinkage long compat_sys_fcntl64(unsig
 		ret = get_compat_flock(&f, compat_ptr(arg));
 		if (ret != 0)
 			break;
+		if (f.l_start > COMPAT_OFF_T_MAX ||
+		    f.l_start < -COMPAT_OFF_T_MAX)
+			return -EOVERFLOW;
+		if (f.l_start >= 0 && f.l_len >= 0)
+			if (f.l_len-1 > COMPAT_OFF_T_MAX - f.l_start)
+				return -EOVERFLOW;
+		if (f.l_start < 0 && f.l_len < 0)
+			if (f.l_len+1 < -COMPAT_OFF_T_MAX - f.l_start)
+				return -EOVERFLOW;
+
 		old_fs = get_fs();
 		set_fs(KERNEL_DS);
 		ret = sys_fcntl(fd, cmd, (unsigned long)&f);
 		set_fs(old_fs);
-		if (cmd == F_GETLK && ret == 0) {
-			if ((f.l_start >= COMPAT_OFF_T_MAX) ||
-			    ((f.l_start + f.l_len) > COMPAT_OFF_T_MAX))
-				ret = -EOVERFLOW;
-			if (ret == 0)
-				ret = put_compat_flock(&f, compat_ptr(arg));
-		}
+		if (cmd == F_GETLK && ret == 0)
+			ret = put_compat_flock(&f, compat_ptr(arg));
 		break;
 
 	case F_GETLK64:
@@ -515,19 +520,25 @@ asmlinkage long compat_sys_fcntl64(unsig
 		ret = get_compat_flock64(&f, compat_ptr(arg));
 		if (ret != 0)
 			break;
+		if (f.l_start > COMPAT_LOFF_T_MAX ||
+		    f.l_start < -COMPAT_LOFF_T_MAX)
+			return -EOVERFLOW;
+
+		if (f.l_start >= 0 && f.l_len >= 0)
+			if (f.l_len-1 > COMPAT_LOFF_T_MAX - f.l_start)
+				return -EOVERFLOW;
+		if (f.l_start < 0 && f.l_len < 0)
+			if (f.l_len+1 < -COMPAT_LOFF_T_MAX - f.l_start)
+				return -EOVERFLOW;
+
 		old_fs = get_fs();
 		set_fs(KERNEL_DS);
 		ret = sys_fcntl(fd, (cmd == F_GETLK64) ? F_GETLK :
 				((cmd == F_SETLK64) ? F_SETLK : F_SETLKW),
 				(unsigned long)&f);
 		set_fs(old_fs);
-		if (cmd == F_GETLK64 && ret == 0) {
-			if ((f.l_start >= COMPAT_LOFF_T_MAX) ||
-			    ((f.l_start + f.l_len) > COMPAT_LOFF_T_MAX))
-				ret = -EOVERFLOW;
-			if (ret == 0)
-				ret = put_compat_flock64(&f, compat_ptr(arg));
-		}
+		if (cmd == F_GETLK64 && ret == 0)
+			ret = put_compat_flock64(&f, compat_ptr(arg));
 		break;
 
 	default:
_