From: Eric Dumazet <[EMAIL PROTECTED]>
Date: Sat, 09 Dec 2006 09:06:27 +0100
> Well, as long you/we dont break isattty() (which try an
> ioctl(fd,TCGETS,&termios) on the fd), it should be OK.
>
> So TCGETS *MUST* return an error on a socket (and other non tty files)
Actually, did anyone actually bother to look at what's happening
here in this case? It's not an ioctl number aliasing issue at
all, rather dev_ioctl() blindly tries to copy a structure in
from userspace before checking the ioctl number against the
list of ioctls it actually understands.
That's the bug, anyone care to code up the fix to guard that
copy_from_user() call in dev_ioctl() with a big switch statement
verification on the ioctl number?
Something like:
switch (cmd) {
case SIOC*:
break;
default:
if (cmd == SIOCWANDEV ||
(cmd >= SIOCDEVPRIVATE &&
cmd <= SIOCDEVPRIVATE + 15))
break;
if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST)
break;
return -EINVAL;
}
if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
return -EFAULT;
Thanks.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
