| From 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 Mon Sep 17 00:00:00 2001 |
| From: Luciano Coelho <coelho@ti.com> |
| Date: Thu, 19 May 2011 00:43:38 +0300 |
| Subject: nl80211: fix check for valid SSID size in scan operations |
| |
| From: Luciano Coelho <coelho@ti.com> |
| |
| commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 upstream. |
| |
| In both trigger_scan and sched_scan operations, we were checking for |
| the SSID length before assigning the value correctly. Since the |
| memory was just kzalloc'ed, the check was always failing and SSID with |
| over 32 characters were allowed to go through. |
| |
| This was causing a buffer overflow when copying the actual SSID to the |
| proper place. |
| |
| This bug has been there since 2.6.29-rc4. |
| |
| Signed-off-by: Luciano Coelho <coelho@ti.com> |
| Signed-off-by: John W. Linville <linville@tuxdriver.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| |
| --- |
| net/wireless/nl80211.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/wireless/nl80211.c |
| +++ b/net/wireless/nl80211.c |
| @@ -3078,12 +3078,12 @@ static int nl80211_trigger_scan(struct s |
| i = 0; |
| if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) { |
| nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) { |
| + request->ssids[i].ssid_len = nla_len(attr); |
| if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) { |
| err = -EINVAL; |
| goto out_free; |
| } |
| memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr)); |
| - request->ssids[i].ssid_len = nla_len(attr); |
| i++; |
| } |
| } |