diff options
| author | David S. Miller <davem@sunset.davemloft.net> | 2007-11-20 03:29:53 -0800 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-11-20 03:29:53 -0800 |
| commit | 0a06ea87185531705e4417e3a051f81b64f210c1 (patch) | |
| tree | 703406ed0893a28e6940f273c81af0bdc9081c06 /net/wireless | |
| parent | a572da43738f156a6c81034467da429903483687 (diff) | |
| download | linux-next-0a06ea87185531705e4417e3a051f81b64f210c1.tar.gz | |
[WIRELESS] WEXT: Fix userspace corruption on 64-bit.
On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than
sizeof(struct iwreq).
For GET calls, the wireless extension code copies back into userspace
using sizeof(struct ifreq) but userspace and elsewhere only allocates
a "struct iwreq". Thus, this copy writes past the end of the iwreq
object and corrupts whatever sits after it in memory.
Fix the copy_to_user() length.
This particularly hurts the compat case because the wireless compat
code uses compat_alloc_userspace() and right after this allocated
buffer is the current bottom of the user stack, and that's what gets
overwritten by the copy_to_user() call.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/wireless')
| -rw-r--r-- | net/wireless/wext.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/wireless/wext.c b/net/wireless/wext.c index 85e5f9dd0d8e..47e80cc2077c 100644 --- a/net/wireless/wext.c +++ b/net/wireless/wext.c @@ -1094,7 +1094,7 @@ int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd, rtnl_lock(); ret = wireless_process_ioctl(net, ifr, cmd); rtnl_unlock(); - if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct ifreq))) + if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct iwreq))) return -EFAULT; return ret; } |