[thirdparty/kernel/stable-queue.git] / releases / 2.6.15.7 / compat-ifconf-fix-limits.patch

From stable-bounces@linux.kernel.org  Wed Mar  8 17:48:08 2006
Date: Wed, 08 Mar 2006 17:43:17 -0800 (PST)
From: "David S. Miller" <davem@davemloft.net>
To: stable@kernel.org
Cc: 
Subject: [PATCH] [NET] compat ifconf: fix limits

From: Randy Dunlap <rdunlap@xenotime.net>

A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
causes ifconf data to be truncated 1 entry too early when copying it
to userspace.  The correct amount of data (length) is returned,
but the final entry is empty (zero, not filled in).
The for-loop 'i' check should use <= to allow the final struct
ifreq32 to be copied.  I also used the ifconf-corruption program
in kernel bugzilla #4746 to make sure that this change does not
re-introduce the corruption.

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 fs/compat_ioctl.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.15.6.orig/fs/compat_ioctl.c
+++ linux-2.6.15.6/fs/compat_ioctl.c
@@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u
 	ifr = ifc.ifc_req;
 	ifr32 = compat_ptr(ifc32.ifcbuf);
 	for (i = 0, j = 0;
-             i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len;
+             i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len;
 	     i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) {
 		if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32)))
 			return -EFAULT;
Commit	Line	Data
ecd9241b CW	1	From stable-bounces@linux.kernel.org Wed Mar 8 17:48:08 2006
	2	Date: Wed, 08 Mar 2006 17:43:17 -0800 (PST)
	3	From: "David S. Miller" <davem@davemloft.net>
	4	To: stable@kernel.org
	5	Cc:
	6	Subject: [PATCH] [NET] compat ifconf: fix limits
	7
	8	From: Randy Dunlap <rdunlap@xenotime.net>
	9
	10	A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
	11	causes ifconf data to be truncated 1 entry too early when copying it
	12	to userspace. The correct amount of data (length) is returned,
	13	but the final entry is empty (zero, not filled in).
	14	The for-loop 'i' check should use <= to allow the final struct
	15	ifreq32 to be copied. I also used the ifconf-corruption program
	16	in kernel bugzilla #4746 to make sure that this change does not
	17	re-introduce the corruption.
	18
	19	Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
	20	Signed-off-by: David S. Miller <davem@davemloft.net>
	21	Signed-off-by: Chris Wright <chrisw@sous-sol.org>
5390119a	22	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
ecd9241b CW	23	---
	24
	25	fs/compat_ioctl.c \| 2 +-
5390119a	26	1 file changed, 1 insertion(+), 1 deletion(-)
ecd9241b CW	27
	28	--- linux-2.6.15.6.orig/fs/compat_ioctl.c
	29	+++ linux-2.6.15.6/fs/compat_ioctl.c
	30	@@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u
	31	ifr = ifc.ifc_req;
	32	ifr32 = compat_ptr(ifc32.ifcbuf);
	33	for (i = 0, j = 0;
	34	- i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len;
	35	+ i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len;
	36	i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) {
	37	if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32)))
	38	return -EFAULT;