On Fri, Aug 27, 2010 at 3:39 PM, Jean Tourrilhes [off-list ref] wrote:

On Fri, Aug 27, 2010 at 03:35:19PM -0700, Luis R. Rodriguez wrote:

quoted

quoted

diff -u -p wext.j2.c wext.c

--- wext.j2.c   2010-08-27 14:17:26.000000000 -0700
+++ wext.c      2010-08-27 14:19:33.000000000 -0700

@@ -800,9 +800,12 @@ static int ioctl_standard_iw_point(struc

                       goto out;
               }

-               if (copy_to_user(iwp->pointer, extra,
-                                iwp->length *
-                                descr->token_size)) {
+               /* Verify how much we should return. Some driver
+                * may abuse iwp->length... */
+               if((iwp->length * descr->token_size) < extra_size)
+                       extra_size = iwp->length * descr->token_size;
+
+               if (copy_to_user(iwp->pointer, extra, extra_size)) {
                       err = -EFAULT;
                       goto out;
               }

Jean, can you submit in a new thread and right before the SOB add in
the commit log Cc: stable@kernel.org [2.6.32+]

       The current patch was made for 2.6.27 and was only
compiled. Someone would need to verify it works for 2.6.32. I could
probably find some time next week.

Got it, ah so it would be Cc: stable@kernel.org [2.6.27+]. To get this
trickled in we first need it for wireless-testing.git, and provide
links / patches to the backport of the patch for each kernel. Once it
gets merged into Linus' tree the stable team can apply the respective
backported patches.

  Luis