From 0a06ea87185531705e4417e3a051f81b64f210c1 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 20 Nov 2007 03:29:53 -0800 Subject: [PATCH] [WIRELESS] WEXT: Fix userspace corruption on 64-bit. On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than sizeof(struct iwreq). For GET calls, the wireless extension code copies back into userspace using sizeof(struct ifreq) but userspace and elsewhere only allocates a "struct iwreq". Thus, this copy writes past the end of the iwreq object and corrupts whatever sits after it in memory. Fix the copy_to_user() length. This particularly hurts the compat case because the wireless compat code uses compat_alloc_userspace() and right after this allocated buffer is the current bottom of the user stack, and that's what gets overwritten by the copy_to_user() call. Signed-off-by: David S. Miller --- net/wireless/wext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/wireless/wext.c b/net/wireless/wext.c index 85e5f9dd0d8e..47e80cc2077c 100644 --- a/net/wireless/wext.c +++ b/net/wireless/wext.c @@ -1094,7 +1094,7 @@ int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd, rtnl_lock(); ret = wireless_process_ioctl(net, ifr, cmd); rtnl_unlock(); - if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct ifreq))) + if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct iwreq))) return -EFAULT; return ret; }