[CVE-2017-7487][PATCH T/Z] ipx: call ipxitf_put() in ioctl error path
Po-Hsu Lin
po-hsu.lin at canonical.com
Thu Jul 20 07:57:34 UTC 2017
From: Dan Carpenter <dan.carpenter at oracle.com>
CVE-2017-7487
We should call ipxitf_put() if the copy_to_user() fails.
Reported-by: 李强 <liqiang6-s at 360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
net/ipx/af_ipx.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index 6857ae4..654e39d 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -1183,11 +1183,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
sipx->sipx_network = ipxif->if_netnum;
memcpy(sipx->sipx_node, ipxif->if_node,
sizeof(sipx->sipx_node));
- rc = -EFAULT;
+ rc = 0;
if (copy_to_user(arg, &ifr, sizeof(ifr)))
- break;
+ rc = -EFAULT;
ipxitf_put(ipxif);
- rc = 0;
break;
}
case SIOCAIPXITFCRT:
--
2.7.4
More information about the kernel-team
mailing list