yam: fix a missing-check bug
In yam_ioctl(), the concrete ioctl command is firstly copied from the user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the following switch statement. If the command is not as expected, an error code EINVAL is returned. In the following execution the buffer 'ifr->ifr_data' is copied again in the cases of the switch statement to specific data structures according to what kind of ioctl command is requested. However, after the second copy, no re-check is enforced on the newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user space, a malicious user can race to change the command between the two copies. This way, the attacker can inject inconsistent data and cause undefined behavior. This patch adds a re-check in each case of the switch statement if there is a second copy in that case, to re-check whether the command obtained in the second copy is the same as the one in the first copy. If not, an error code EINVAL will be returned. Signed-off-by: Wenwen Wang <wang6495@umn.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
33aa8da1f8
commit
0781168e23
|
@ -966,6 +966,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
|
|||
sizeof(struct yamdrv_ioctl_mcs));
|
||||
if (IS_ERR(ym))
|
||||
return PTR_ERR(ym);
|
||||
if (ym->cmd != SIOCYAMSMCS)
|
||||
return -EINVAL;
|
||||
if (ym->bitrate > YAM_MAXBITRATE) {
|
||||
kfree(ym);
|
||||
return -EINVAL;
|
||||
|
@ -981,6 +983,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
|
|||
if (copy_from_user(&yi, ifr->ifr_data, sizeof(struct yamdrv_ioctl_cfg)))
|
||||
return -EFAULT;
|
||||
|
||||
if (yi.cmd != SIOCYAMSCFG)
|
||||
return -EINVAL;
|
||||
if ((yi.cfg.mask & YAM_IOBASE) && netif_running(dev))
|
||||
return -EINVAL; /* Cannot change this parameter when up */
|
||||
if ((yi.cfg.mask & YAM_IRQ) && netif_running(dev))
|
||||
|
|
Loading…
Reference in New Issue