aboutsummaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorBen Hutchings <bhutchings@solarflare.com>2013-11-18 17:04:58 +0000
committerJiri Slaby <jslaby@suse.cz>2014-06-27 10:25:17 +0200
commite45145b6eb158405fe5cbbcce0a206d3b3090842 (patch)
treea160cbf1226a236e81166cd0d2a60d6426a28519 /net
parent9f6e089cb55bdc5a90fe6ec755a20941da9a0b3b (diff)
net/compat: Fix minor information leak in siocdevprivate_ioctl()
commit 417c3522b3202dacce4873cfb0190459fbce95c5 upstream. We don't need to check that ifr_data itself is a valid user pointer, but we should check &ifr_data is. Thankfully the copy of ifr_name is checked, so this can only leak a few bytes from immediately above the user address limit. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Diffstat (limited to 'net')
-rw-r--r--net/socket.c7
1 files changed, 2 insertions, 5 deletions
diff --git a/net/socket.c b/net/socket.c
index dc57dae20a9..c8ca896a9a5 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -3023,19 +3023,16 @@ static int siocdevprivate_ioctl(struct net *net, unsigned int cmd,
if (copy_from_user(&tmp_buf[0], &(u_ifreq32->ifr_ifrn.ifrn_name[0]),
IFNAMSIZ))
return -EFAULT;
- if (__get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
+ if (get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
return -EFAULT;
data64 = compat_ptr(data32);
u_ifreq64 = compat_alloc_user_space(sizeof(*u_ifreq64));
- /* Don't check these user accesses, just let that get trapped
- * in the ioctl handler instead.
- */
if (copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0],
IFNAMSIZ))
return -EFAULT;
- if (__put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
+ if (put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
return -EFAULT;
return dev_ioctl(net, cmd, u_ifreq64);