From: Mika Kukkonen CC [M] fs/smbfs/proc.o fs/smbfs/proc.c: In function `smb_proc_readdir_long': fs/smbfs/proc.c:2313: warning: comparison of unsigned expression < 0 is always false fs/smbfs/proc.c:2467: warning: comparison of unsigned expression < 0 is always false The first one is pretty dangerous looking, as smb_proc_readdir_long() can return several negative error values and all those are converted to unsigned and then erronously pass the test on line 2313. Chris Wright gave it a quick look and we did not see immediately if this can be remotely exploited, but it looks pretty scary. The second warning on line 2467 is just extra so I just removed it. Signed-off-by: Andrew Morton --- 25-akpm/fs/smbfs/proc.c | 12 ++++-------- 1 files changed, 4 insertions(+), 8 deletions(-) diff -puN fs/smbfs/proc.c~int-return-to-unsigned-in-smb_proc_readdir_long-in fs/smbfs/proc.c --- 25/fs/smbfs/proc.c~int-return-to-unsigned-in-smb_proc_readdir_long-in Wed Jul 7 13:49:16 2004 +++ 25-akpm/fs/smbfs/proc.c Wed Jul 7 13:49:16 2004 @@ -2309,16 +2309,14 @@ smb_proc_readdir_long(struct file *filp, */ mask = param + 12; - mask_len = smb_encode_path(server, mask, SMB_MAXPATHLEN+1, dir, &star); - if (mask_len < 0) { - result = mask_len; + result = smb_encode_path(server, mask, SMB_MAXPATHLEN+1, dir, &star); + if (result <= 0) goto out_free; - } - mask_len--; /* mask_len is strlen, not #bytes */ + mask_len = result - 1; /* mask_len is strlen, not #bytes */ + result = 0; first = 1; VERBOSE("starting mask_len=%d, mask=%s\n", mask_len, mask); - result = 0; entries_seen = 2; ff_eos = 0; @@ -2464,8 +2462,6 @@ smb_proc_readdir_long(struct file *filp, /* * Update the mask string for the next message. */ - if (mask_len < 0) - mask_len = 0; if (mask_len > 255) mask_len = 255; if (mask_len) _