Watch ifr.ifr_name.
Hi Ken, I believe there is some bug in your new checker algorithms for
this case.
struct ifreq ifr;
int err;
Start--->
if (copy_from_user(&ifr, (void *)arg, sizeof(ifr)))
return -EFAULT;
ifr.ifr_name[IFNAMSIZ-1] = '\0';
ifreq copied safely to kernel space, ifr.ifr_name[] is inside the
struct and NOT a user pointer.
err = tun_set_iff(file, &ifr);
Pass address of kernel ifreq.
if (*ifr->ifr_name)
name = ifr->ifr_name;
if ((err = dev_alloc_name(&tun->dev, name)) < 0)
goto failed;
Perfectly fine still, name always points to kernel memory.
int dev_alloc_name(struct net_device *dev, const char *name)
{
...
for (i = 0; i < 100; i++) {
Error--->
sprintf(buf,name,i);
Still fine, as stated "name" is pointing to kernel memory.
Perhaps your code is being confused by "ifreq->if_name" being
an array.
Franks a lot,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/