45 lines
1.6 KiB
Diff
45 lines
1.6 KiB
Diff
From: Luciano Coelho <coelho@ti.com>
|
|
Date: Tue, 7 Jun 2011 17:42:26 +0000 (+0300)
|
|
Subject: nl80211: fix overflow in ssid_len
|
|
X-Git-Tag: v3.0-rc4~5^2~13^2~6
|
|
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=57a27e1d6a3bb9ad4efeebd3a8c71156d6207536
|
|
|
|
nl80211: fix overflow in ssid_len
|
|
[ 2.6.35 backport ]
|
|
|
|
When one of the SSID's length passed in a scan or sched_scan request
|
|
is larger than 255, there will be an overflow in the u8 that is used
|
|
to store the length before checking. This causes the check to fail
|
|
and we overrun the buffer when copying the SSID.
|
|
|
|
Fix this by checking the nl80211 attribute length before copying it to
|
|
the struct.
|
|
|
|
This is a follow up for the previous commit
|
|
208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
|
|
entirely.
|
|
|
|
Reported-by: Ido Yariv <ido@wizery.com>
|
|
Signed-off-by: Luciano Coelho <coelho@ti.com>
|
|
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
---
|
|
|
|
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
|
|
index 88a565f..98fa8eb 100644
|
|
--- a/net/wireless/nl80211.c
|
|
+++ b/net/wireless/nl80211.c
|
|
@@ -3179,11 +3179,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
|
|
i = 0;
|
|
if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
|
|
nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
|
|
- request->ssids[i].ssid_len = nla_len(attr);
|
|
- if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
|
|
+ if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
|
|
err = -EINVAL;
|
|
goto out_free;
|
|
}
|
|
+ request->ssids[i].ssid_len = nla_len(attr);
|
|
memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
|
|
i++;
|
|
}
|