From f989129a77a11f7665a4ce37d0123901aee16d07 Mon Sep 17 00:00:00 2001 From: onoe Date: Wed, 19 Jul 2000 04:43:34 +0000 Subject: [PATCH] check the length of nwid argument before copy to avoid SEGV. pointed out by enami-san --- sbin/ifconfig/ifconfig.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/sbin/ifconfig/ifconfig.c b/sbin/ifconfig/ifconfig.c index 69946a0c401f..68fc9e224f92 100644 --- a/sbin/ifconfig/ifconfig.c +++ b/sbin/ifconfig/ifconfig.c @@ -1,4 +1,4 @@ -/* $NetBSD: ifconfig.c,v 1.84 2000/07/06 08:20:51 onoe Exp $ */ +/* $NetBSD: ifconfig.c,v 1.85 2000/07/19 04:43:34 onoe Exp $ */ /*- * Copyright (c) 1997, 1998, 2000 The NetBSD Foundation, Inc. @@ -80,7 +80,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 1993\n\ #if 0 static char sccsid[] = "@(#)ifconfig.c 8.2 (Berkeley) 2/16/94"; #else -__RCSID("$NetBSD: ifconfig.c,v 1.84 2000/07/06 08:20:51 onoe Exp $"); +__RCSID("$NetBSD: ifconfig.c,v 1.85 2000/07/19 04:43:34 onoe Exp $"); #endif #endif /* not lint */ @@ -1095,6 +1095,7 @@ setifnwid(val, d) int d; { struct ieee80211_nwid nwid; + int len; u_int8_t *p; memset(&nwid, 0, sizeof(nwid)); @@ -1102,6 +1103,10 @@ setifnwid(val, d) val += 2; p = nwid.i_nwid; while (isxdigit((u_char)val[0]) && isxdigit((u_char)val[1])) { + if (p > nwid.i_nwid + sizeof(nwid.i_nwid)) { + warnx("SIOCS80211NWID: Too long nwid."); + return; + } #define tohex(x) (isdigit(x) ? (x) - '0' : tolower(x) - 'a' + 10) *p++ = (tohex((u_char)val[0]) << 4) | tohex((u_char)val[1]); @@ -1109,13 +1114,18 @@ setifnwid(val, d) val += 2; } if (*val != '\0') { - warnx("SIOCS80211NWID: Bad hexdecimal digits."); + warnx("SIOCS80211NWID: Bad hexadecimal digits."); return; } nwid.i_len = p - nwid.i_nwid; } else { - nwid.i_len = strlen(val); - memcpy(nwid.i_nwid, val, nwid.i_len); + len = strlen(val); + if (len > sizeof(nwid.i_nwid)) { + warnx("SIOCS80211NWID: Too long nwid."); + return; + } + nwid.i_len = len; + memcpy(nwid.i_nwid, val, len); } (void)strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); ifr.ifr_data = (caddr_t)&nwid;