From: David Miller <davem@davemloft.net>
To: dada1@cosmosbay.com
Cc: shemminger@osdl.org, netdev@vger.kernel.org, hch@lst.de
Subject: Re: [Bug 7635] New: ioctl(fd,TCSBRK,1) on socket yields EFAULT, expected EINVAL/ENOTTY
Date: Sat, 09 Dec 2006 01:05:45 -0800 (PST) [thread overview]
Message-ID: <20061209.010545.126590710.davem@davemloft.net> (raw)
In-Reply-To: <457A6E83.2070708@cosmosbay.com>
From: Eric Dumazet <dada1@cosmosbay.com>
Date: Sat, 09 Dec 2006 09:06:27 +0100
> Well, as long you/we dont break isattty() (which try an
> ioctl(fd,TCGETS,&termios) on the fd), it should be OK.
>
> So TCGETS *MUST* return an error on a socket (and other non tty files)
Actually, did anyone actually bother to look at what's happening
here in this case? It's not an ioctl number aliasing issue at
all, rather dev_ioctl() blindly tries to copy a structure in
from userspace before checking the ioctl number against the
list of ioctls it actually understands.
That's the bug, anyone care to code up the fix to guard that
copy_from_user() call in dev_ioctl() with a big switch statement
verification on the ioctl number?
Something like:
switch (cmd) {
case SIOC*:
break;
default:
if (cmd == SIOCWANDEV ||
(cmd >= SIOCDEVPRIVATE &&
cmd <= SIOCDEVPRIVATE + 15))
break;
if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST)
break;
return -EINVAL;
}
if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
return -EFAULT;
Thanks.
prev parent reply other threads:[~2006-12-09 9:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-08 17:50 Fw: [Bug 7635] New: ioctl(fd,TCSBRK,1) on socket yields EFAULT, expected EINVAL/ENOTTY Stephen Hemminger
2006-12-08 21:36 ` David Miller
2006-12-08 22:00 ` Stephen Hemminger
2006-12-09 0:33 ` David Miller
2006-12-09 8:06 ` Eric Dumazet
2006-12-09 9:05 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061209.010545.126590710.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=dada1@cosmosbay.com \
--cc=hch@lst.de \
--cc=netdev@vger.kernel.org \
--cc=shemminger@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).