Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Apply patch from FreeBSD-SA-06:05. This avoids the overflow during the 

lenght calculation phase instead of just growing the buffer like the older
patch did. I am leaving the bigger buffer too for now since it does not hurt.
This commit is contained in:
christos 2006-01-18 14:01:16 +00:00
parent c5b9cc482c
commit 0149d50904
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
sys/net80211/ieee80211_ioctl.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ieee80211_ioctl.c,v 1.27 2006/01/13 19:30:06 christos Exp $ */ /* $NetBSD: ieee80211_ioctl.c,v 1.28 2006/01/18 14:01:16 christos Exp $ */
/*- /*-
* Copyright (c) 2001 Atsushi Onoe * Copyright (c) 2001 Atsushi Onoe
* Copyright (c) 2002-2005 Sam Leffler, Errno Consulting * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
@ -36,7 +36,7 @@
__FBSDID("$FreeBSD: src/sys/net80211/ieee80211_ioctl.c,v 1.35 2005/08/30 14:27:47 avatar Exp $"); __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_ioctl.c,v 1.35 2005/08/30 14:27:47 avatar Exp $");
#endif #endif
#ifdef __NetBSD__ #ifdef __NetBSD__
__KERNEL_RCSID(0, "$NetBSD: ieee80211_ioctl.c,v 1.27 2006/01/13 19:30:06 christos Exp $"); __KERNEL_RCSID(0, "$NetBSD: ieee80211_ioctl.c,v 1.28 2006/01/18 14:01:16 christos Exp $");
#endif #endif
/* /*
@ -1000,13 +1000,25 @@ get_scan_result(struct ieee80211req_scan_result *sr,
const struct ieee80211_node *ni) const struct ieee80211_node *ni)
{ {
struct ieee80211com *ic = ni->ni_ic; struct ieee80211com *ic = ni->ni_ic;
u_int ielen = 0;
memset(sr, 0, sizeof(*sr)); memset(sr, 0, sizeof(*sr));
sr->isr_ssid_len = ni->ni_esslen; sr->isr_ssid_len = ni->ni_esslen;
if (ni->ni_wpa_ie != NULL) if (ni->ni_wpa_ie != NULL)
sr->isr_ie_len += 2+ni->ni_wpa_ie[1]; ielen += 2+ni->ni_wpa_ie[1];
if (ni->ni_wme_ie != NULL) if (ni->ni_wme_ie != NULL)
sr->isr_ie_len += 2+ni->ni_wme_ie[1]; ielen += 2+ni->ni_wme_ie[1];
/*
* The value sr->isr_ie_len is defined as a uint8_t, so we
* need to be careful to avoid an integer overflow. If the
* value would overflow, we will set isr_ie_len to zero, and
* ieee80211_ioctl_getscanresults (below) will avoid copying
* the (overflowing) data.
*/
if (ielen > 255)
ielen = 0;
sr->isr_ie_len = ielen;
sr->isr_len = sizeof(*sr) + sr->isr_ssid_len + sr->isr_ie_len; sr->isr_len = sizeof(*sr) + sr->isr_ssid_len + sr->isr_ie_len;
sr->isr_len = roundup(sr->isr_len, sizeof(u_int32_t)); sr->isr_len = roundup(sr->isr_len, sizeof(u_int32_t));
if (ni->ni_chan != IEEE80211_CHAN_ANYC) { if (ni->ni_chan != IEEE80211_CHAN_ANYC) {
@ -1054,11 +1066,11 @@ ieee80211_ioctl_getscanresults(struct ieee80211com *ic, struct ieee80211req *ire
cp = (u_int8_t *)(sr+1); cp = (u_int8_t *)(sr+1);
memcpy(cp, ni->ni_essid, ni->ni_esslen); memcpy(cp, ni->ni_essid, ni->ni_esslen);
cp += ni->ni_esslen; cp += ni->ni_esslen;
if (ni->ni_wpa_ie != NULL) { if (sr->isr_ie_len > 0 && ni->ni_wpa_ie != NULL) {
memcpy(cp, ni->ni_wpa_ie, 2+ni->ni_wpa_ie[1]); memcpy(cp, ni->ni_wpa_ie, 2+ni->ni_wpa_ie[1]);
cp += 2+ni->ni_wpa_ie[1]; cp += 2+ni->ni_wpa_ie[1];
} }
if (ni->ni_wme_ie != NULL) { if (sr->isr_ie_len > 0 && ni->ni_wme_ie != NULL) {
memcpy(cp, ni->ni_wme_ie, 2+ni->ni_wme_ie[1]); memcpy(cp, ni->ni_wme_ie, 2+ni->ni_wme_ie[1]);
cp += 2+ni->ni_wme_ie[1]; cp += 2+ni->ni_wme_ie[1];
} }