| From 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 Mon Sep 17 00:00:00 2001 |
| From: Luciano Coelho <coelho@ti.com> |
| Date: Tue, 7 Jun 2011 20:42:26 +0300 |
| Subject: nl80211: fix overflow in ssid_len |
| |
| From: Luciano Coelho <coelho@ti.com> |
| |
| commit 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 upstream. |
| |
| When one of the SSID's length passed in a scan or sched_scan request |
| is larger than 255, there will be an overflow in the u8 that is used |
| to store the length before checking. This causes the check to fail |
| and we overrun the buffer when copying the SSID. |
| |
| Fix this by checking the nl80211 attribute length before copying it to |
| the struct. |
| |
| This is a follow up for the previous commit |
| 208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem |
| entirely. |
| |
| Reported-by: Ido Yariv <ido@wizery.com> |
| Signed-off-by: Luciano Coelho <coelho@ti.com> |
| Signed-off-by: John W. Linville <linville@tuxdriver.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/wireless/nl80211.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/net/wireless/nl80211.c |
| +++ b/net/wireless/nl80211.c |
| @@ -3078,11 +3078,11 @@ static int nl80211_trigger_scan(struct s |
| i = 0; |
| if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) { |
| nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) { |
| - request->ssids[i].ssid_len = nla_len(attr); |
| - if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) { |
| + if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) { |
| err = -EINVAL; |
| goto out_free; |
| } |
| + request->ssids[i].ssid_len = nla_len(attr); |
| memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr)); |
| i++; |
| } |