mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
0a06ea8718
On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than sizeof(struct iwreq). For GET calls, the wireless extension code copies back into userspace using sizeof(struct ifreq) but userspace and elsewhere only allocates a "struct iwreq". Thus, this copy writes past the end of the iwreq object and corrupts whatever sits after it in memory. Fix the copy_to_user() length. This particularly hurts the compat case because the wireless compat code uses compat_alloc_userspace() and right after this allocated buffer is the current bottom of the user stack, and that's what gets overwritten by the copy_to_user() call. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
core.c | ||
core.h | ||
Kconfig | ||
Makefile | ||
nl80211.c | ||
nl80211.h | ||
radiotap.c | ||
sysfs.c | ||
sysfs.h | ||
wext.c |