]>
Commit | Line | Data |
---|---|---|
ecd9241b CW |
1 | From stable-bounces@linux.kernel.org Wed Mar 8 17:48:08 2006 |
2 | Date: Wed, 08 Mar 2006 17:43:17 -0800 (PST) | |
3 | From: "David S. Miller" <davem@davemloft.net> | |
4 | To: stable@kernel.org | |
5 | Cc: | |
6 | Subject: [PATCH] [NET] compat ifconf: fix limits | |
7 | ||
8 | From: Randy Dunlap <rdunlap@xenotime.net> | |
9 | ||
10 | A recent change to compat. dev_ifconf() in fs/compat_ioctl.c | |
11 | causes ifconf data to be truncated 1 entry too early when copying it | |
12 | to userspace. The correct amount of data (length) is returned, | |
13 | but the final entry is empty (zero, not filled in). | |
14 | The for-loop 'i' check should use <= to allow the final struct | |
15 | ifreq32 to be copied. I also used the ifconf-corruption program | |
16 | in kernel bugzilla #4746 to make sure that this change does not | |
17 | re-introduce the corruption. | |
18 | ||
19 | Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> | |
20 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
21 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> | |
5390119a | 22 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
ecd9241b CW |
23 | --- |
24 | ||
25 | fs/compat_ioctl.c | 2 +- | |
5390119a | 26 | 1 file changed, 1 insertion(+), 1 deletion(-) |
ecd9241b CW |
27 | |
28 | --- linux-2.6.15.6.orig/fs/compat_ioctl.c | |
29 | +++ linux-2.6.15.6/fs/compat_ioctl.c | |
30 | @@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u | |
31 | ifr = ifc.ifc_req; | |
32 | ifr32 = compat_ptr(ifc32.ifcbuf); | |
33 | for (i = 0, j = 0; | |
34 | - i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len; | |
35 | + i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len; | |
36 | i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) { | |
37 | if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32))) | |
38 | return -EFAULT; |