4.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: "Levin, Alexander" <alexander.levin@xxxxxxxxxxx> [ Upstream commit 98de4e0ea47d106846fc0e30ce4e644283fa7fc2 ] ifr name is assumed to be a valid string by the kernel, but nothing was forcing username to pass a valid string. In turn, this would cause panics as we tried to access the string past it's valid memory. Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/core/dev_ioctl.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/core/dev_ioctl.c +++ b/net/core/dev_ioctl.c @@ -423,6 +423,8 @@ int dev_ioctl(struct net *net, unsigned if (copy_from_user(&iwr, arg, sizeof(iwr))) return -EFAULT; + iwr.ifr_name[sizeof(iwr.ifr_name) - 1] = 0; + return wext_handle_ioctl(net, &iwr, cmd, arg); }