summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid S. Miller <davem@sunset.davemloft.net>2007-11-20 03:29:53 -0800
committerDavid S. Miller <davem@sunset.davemloft.net>2007-11-20 03:29:53 -0800
commit0a06ea87185531705e4417e3a051f81b64f210c1 (patch)
tree703406ed0893a28e6940f273c81af0bdc9081c06
parenta572da43738f156a6c81034467da429903483687 (diff)
downloadlinux-3.10-0a06ea87185531705e4417e3a051f81b64f210c1.tar.gz
linux-3.10-0a06ea87185531705e4417e3a051f81b64f210c1.tar.bz2
linux-3.10-0a06ea87185531705e4417e3a051f81b64f210c1.zip
[WIRELESS] WEXT: Fix userspace corruption on 64-bit.
On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than sizeof(struct iwreq). For GET calls, the wireless extension code copies back into userspace using sizeof(struct ifreq) but userspace and elsewhere only allocates a "struct iwreq". Thus, this copy writes past the end of the iwreq object and corrupts whatever sits after it in memory. Fix the copy_to_user() length. This particularly hurts the compat case because the wireless compat code uses compat_alloc_userspace() and right after this allocated buffer is the current bottom of the user stack, and that's what gets overwritten by the copy_to_user() call. Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/wireless/wext.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/wireless/wext.c b/net/wireless/wext.c
index 85e5f9dd0d8..47e80cc2077 100644
--- a/net/wireless/wext.c
+++ b/net/wireless/wext.c
@@ -1094,7 +1094,7 @@ int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
rtnl_lock();
ret = wireless_process_ioctl(net, ifr, cmd);
rtnl_unlock();
- if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct ifreq)))
+ if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct iwreq)))
return -EFAULT;
return ret;
}