From: Chris Wright <chrisw@sous-sol.org>
Date: Thu, 9 Mar 2006 01:55:07 +0000 (-0800)
Subject: compat dev_ifconf fix from Randy Dunlap, fwd from DaveM
X-Git-Tag: v2.6.16.1~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ecd9241b30880cfce5e212f53983019b74076f29;p=thirdparty%2Fkernel%2Fstable-queue.git

compat dev_ifconf fix from Randy Dunlap, fwd from DaveM
---

diff --git a/queue/compat-ifconf-fix-limits.patch b/queue/compat-ifconf-fix-limits.patch
new file mode 100644
index 00000000000..d77650cf152
--- /dev/null
+++ b/queue/compat-ifconf-fix-limits.patch
@@ -0,0 +1,37 @@
+From stable-bounces@linux.kernel.org  Wed Mar  8 17:48:08 2006
+Date: Wed, 08 Mar 2006 17:43:17 -0800 (PST)
+From: "David S. Miller" <davem@davemloft.net>
+To: stable@kernel.org
+Cc: 
+Subject: [PATCH] [NET] compat ifconf: fix limits
+
+From: Randy Dunlap <rdunlap@xenotime.net>
+
+A recent change to compat. dev_ifconf() in fs/compat_ioctl.c
+causes ifconf data to be truncated 1 entry too early when copying it
+to userspace.  The correct amount of data (length) is returned,
+but the final entry is empty (zero, not filled in).
+The for-loop 'i' check should use <= to allow the final struct
+ifreq32 to be copied.  I also used the ifconf-corruption program
+in kernel bugzilla #4746 to make sure that this change does not
+re-introduce the corruption.
+
+Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/compat_ioctl.c |    2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.6.orig/fs/compat_ioctl.c
++++ linux-2.6.15.6/fs/compat_ioctl.c
+@@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u
+ 	ifr = ifc.ifc_req;
+ 	ifr32 = compat_ptr(ifc32.ifcbuf);
+ 	for (i = 0, j = 0;
+-             i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len;
++             i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len;
+ 	     i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) {
+ 		if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32)))
+ 			return -EFAULT;
diff --git a/queue/series b/queue/series
index 51a0849cb9f..de27f9d6276 100644
--- a/queue/series
+++ b/queue/series
@@ -1,2 +1,3 @@
 ib-srp-don-t-send-task-management-commands-after-target-removal.patch
 netfilter-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption.patch
+compat-ifconf-fix-limits.patch