ROMFS: fix length used with romfs_dev_strnlen() function

An interestingly corrupted romfs file system exposed a problem with the
romfs_dev_strnlen function: it's passing the wrong value to its helpers.
Rather than limit the string to the length passed in by the callers, it
uses the size of the device as the limit.

Signed-off-by: Bernd Schmidt <bernds_cb1@t-online.de>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/romfs/storage.c b/fs/romfs/storage.c
index b3208adf8e71e0be84b46c318209b4c997b61b10..71e2b4d50a0ab5104087237c350c20057dc3e38f 100644 (file)
--- a/fs/romfs/storage.c
+++ b/fs/romfs/storage.c
@@ -253,11 +253,11 @@ ssize_t romfs_dev_strnlen(struct super_block *sb,
 
 #ifdef CONFIG_ROMFS_ON_MTD
        if (sb->s_mtd)
-               return romfs_mtd_strnlen(sb, pos, limit);
+               return romfs_mtd_strnlen(sb, pos, maxlen);
 #endif
 #ifdef CONFIG_ROMFS_ON_BLOCK
        if (sb->s_bdev)
-               return romfs_blk_strnlen(sb, pos, limit);
+               return romfs_blk_strnlen(sb, pos, maxlen);
 #endif
        return -EIO;
 }