[WIRELESS] WEXT: Fix userspace corruption on 64-bit.
On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than sizeof(struct iwreq). For GET calls, the wireless extension code copies back into userspace using sizeof(struct ifreq) but userspace and elsewhere only allocates a "struct iwreq". Thus, this copy writes past the end of the iwreq object and corrupts whatever sits after it in memory. Fix the copy_to_user() length. This particularly hurts the compat case because the wireless compat code uses compat_alloc_userspace() and right after this allocated buffer is the current bottom of the user stack, and that's what gets overwritten by the copy_to_user() call. Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
a572da4373
commit
0a06ea8718
|
@ -1094,7 +1094,7 @@ int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
|
||||||
rtnl_lock();
|
rtnl_lock();
|
||||||
ret = wireless_process_ioctl(net, ifr, cmd);
|
ret = wireless_process_ioctl(net, ifr, cmd);
|
||||||
rtnl_unlock();
|
rtnl_unlock();
|
||||||
if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct ifreq)))
|
if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct iwreq)))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue