--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 8 17:48:08 2006
+Date: Wed, 08 Mar 2006 17:43:17 -0800 (PST)
+From: "David S. Miller" <davem@davemloft.net>
+To: stable@kernel.org
+Cc:
+Subject: [PATCH] [NET] compat ifconf: fix limits
+
+From: Randy Dunlap <rdunlap@xenotime.net>
+
+A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
+causes ifconf data to be truncated 1 entry too early when copying it
+to userspace. The correct amount of data (length) is returned,
+but the final entry is empty (zero, not filled in).
+The for-loop 'i' check should use <= to allow the final struct
+ifreq32 to be copied. I also used the ifconf-corruption program
+in kernel bugzilla #4746 to make sure that this change does not
+re-introduce the corruption.
+
+Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/compat_ioctl.c | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.6.orig/fs/compat_ioctl.c
++++ linux-2.6.15.6/fs/compat_ioctl.c
+@@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u
+ ifr = ifc.ifc_req;
+ ifr32 = compat_ptr(ifc32.ifcbuf);
+ for (i = 0, j = 0;
+- i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len;
++ i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len;
+ i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) {
+ if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32)))
+ return -EFAULT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
