| From stable-bounces@linux.kernel.org Wed Mar 8 17:48:08 2006 |
| Date: Wed, 08 Mar 2006 17:43:17 -0800 (PST) |
| From: "David S. Miller" <davem@davemloft.net> |
| To: stable@kernel.org |
| Cc: |
| Subject: [PATCH] [NET] compat ifconf: fix limits |
| |
| From: Randy Dunlap <rdunlap@xenotime.net> |
| |
| A recent change to compat. dev_ifconf() in fs/compat_ioctl.c |
| causes ifconf data to be truncated 1 entry too early when copying it |
| to userspace. The correct amount of data (length) is returned, |
| but the final entry is empty (zero, not filled in). |
| The for-loop 'i' check should use <= to allow the final struct |
| ifreq32 to be copied. I also used the ifconf-corruption program |
| in kernel bugzilla #4746 to make sure that this change does not |
| re-introduce the corruption. |
| |
| Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| --- |
| |
| fs/compat_ioctl.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- linux-2.6.15.6.orig/fs/compat_ioctl.c |
| +++ linux-2.6.15.6/fs/compat_ioctl.c |
| @@ -687,7 +687,7 @@ static int dev_ifconf(unsigned int fd, u |
| ifr = ifc.ifc_req; |
| ifr32 = compat_ptr(ifc32.ifcbuf); |
| for (i = 0, j = 0; |
| - i + sizeof (struct ifreq32) < ifc32.ifc_len && j < ifc.ifc_len; |
| + i + sizeof (struct ifreq32) <= ifc32.ifc_len && j < ifc.ifc_len; |
| i += sizeof (struct ifreq32), j += sizeof (struct ifreq)) { |
| if (copy_in_user(ifr32, ifr, sizeof (struct ifreq32))) |
| return -EFAULT; |
