diff options
author | Johannes Berg <johannes.berg@intel.com> | 2017-06-14 09:28:11 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2017-06-14 13:52:44 +0200 |
commit | 68dd02d19c811ca8ea60220a9d73e13b4bdad73a (patch) | |
tree | fc5f16101d532733fd8e4d34ea064313580fa163 /include/net | |
parent | wireless: wext: use struct iwreq earlier in the call chain (diff) | |
download | linux-68dd02d19c811ca8ea60220a9d73e13b4bdad73a.tar.xz linux-68dd02d19c811ca8ea60220a9d73e13b4bdad73a.zip |
dev_ioctl: copy only the smaller struct iwreq for wext
Unfortunately, struct iwreq isn't a proper subset of struct ifreq,
but is still handled by the same code path. Robert reported that
then applications may (randomly) fault if the struct iwreq they
pass happens to land within 8 bytes of the end of a mapping (the
struct is only 32 bytes, vs. struct ifreq's 40 bytes).
To fix this, pull out the code handling wireless extension ioctls
and copy only the smaller structure in this case.
This bug goes back a long time, I tracked that it was introduced
into mainline in 2.1.15, over 20 years ago!
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=195869
Reported-by: Robert O'Callahan <robert@ocallahan.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/wext.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/include/net/wext.h b/include/net/wext.h index 345911965dbb..454ff763eeba 100644 --- a/include/net/wext.h +++ b/include/net/wext.h @@ -6,7 +6,7 @@ struct net; #ifdef CONFIG_WEXT_CORE -int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd, +int wext_handle_ioctl(struct net *net, struct iwreq *iwr, unsigned int cmd, void __user *arg); int compat_wext_handle_ioctl(struct net *net, unsigned int cmd, unsigned long arg); @@ -14,7 +14,7 @@ int compat_wext_handle_ioctl(struct net *net, unsigned int cmd, struct iw_statistics *get_wireless_stats(struct net_device *dev); int call_commit_handler(struct net_device *dev); #else -static inline int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd, +static inline int wext_handle_ioctl(struct net *net, struct iwreq *iwr, unsigned int cmd, void __user *arg) { return -EINVAL; |