[WIRELESS] WEXT: Fix userspace corruption on 64-bit. On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than sizeof(struct iwreq). For GET calls, the wireless extension code copies back into userspace using sizeof(struct ifreq) but userspace and elsewhere only allocates a "struct iwreq". Thus, this copy writes past the end of the iwreq object and corrupts whatever sits after it in memory. Fix the copy_to_user() length. This particularly hurts the compat case because the wireless compat code uses compat_alloc_userspace() and right after this allocated buffer is the current bottom of the user stack, and that's what gets overwritten by the copy_to_user() call. Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 0a06ea87185531705e4417e3a051f81b64f210c1 [log] [tgz]
author: David S. Miller <davem@sunset.davemloft.net> Tue Nov 20 03:29:53 2007 -0800
committer: David S. Miller <davem@sunset.davemloft.net> Tue Nov 20 03:29:53 2007 -0800
tree: 703406ed0893a28e6940f273c81af0bdc9081c06
parent: a572da43738f156a6c81034467da429903483687 [diff] [blame]
diff --git a/net/wireless/wext.c b/net/wireless/wext.c
index 85e5f9d..47e80cc 100644
--- a/net/wireless/wext.c
+++ b/net/wireless/wext.c

@@ -1094,7 +1094,7 @@
 	rtnl_lock();
 	ret = wireless_process_ioctl(net, ifr, cmd);
 	rtnl_unlock();
-	if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct ifreq)))
+	if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct iwreq)))
 		return -EFAULT;
 	return ret;
 }
commit	0a06ea87185531705e4417e3a051f81b64f210c1	[log] [tgz]
author	David S. Miller <davem@sunset.davemloft.net>	Tue Nov 20 03:29:53 2007 -0800
committer	David S. Miller <davem@sunset.davemloft.net>	Tue Nov 20 03:29:53 2007 -0800
tree	703406ed0893a28e6940f273c81af0bdc9081c06
parent	a572da43738f156a6c81034467da429903483687 [diff] [blame]