aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorLuciano Coelho <coelho@ti.com>2011-05-18 17:43:38 -0400
committerJohn W. Linville <linville@tuxdriver.com>2011-05-26 15:43:28 -0400
commit208c72f4fe44fe09577e7975ba0e7fa0278f3d03 (patch)
treef556afcda6931d1ad7d5ab41341a887c0b25f664 /net
parent21bc7af6e5e684b44725b20f679e701e38ceef15 (diff)
nl80211: fix check for valid SSID size in scan operations
In both trigger_scan and sched_scan operations, we were checking for the SSID length before assigning the value correctly. Since the memory was just kzalloc'ed, the check was always failing and SSID with over 32 characters were allowed to go through. This was causing a buffer overflow when copying the actual SSID to the proper place. This bug has been there since 2.6.29-rc4. Cc: stable@kernel.org Signed-off-by: Luciano Coelho <coelho@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/nl80211.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index ec83f413a7ed..88a565f130a5 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3406,12 +3406,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
3406 i = 0; 3406 i = 0;
3407 if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) { 3407 if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
3408 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) { 3408 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
3409 request->ssids[i].ssid_len = nla_len(attr);
3409 if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) { 3410 if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
3410 err = -EINVAL; 3411 err = -EINVAL;
3411 goto out_free; 3412 goto out_free;
3412 } 3413 }
3413 memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr)); 3414 memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
3414 request->ssids[i].ssid_len = nla_len(attr);
3415 i++; 3415 i++;
3416 } 3416 }
3417 } 3417 }
@@ -3572,6 +3572,7 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
3572 if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) { 3572 if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
3573 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], 3573 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
3574 tmp) { 3574 tmp) {
3575 request->ssids[i].ssid_len = nla_len(attr);
3575 if (request->ssids[i].ssid_len > 3576 if (request->ssids[i].ssid_len >
3576 IEEE80211_MAX_SSID_LEN) { 3577 IEEE80211_MAX_SSID_LEN) {
3577 err = -EINVAL; 3578 err = -EINVAL;
@@ -3579,7 +3580,6 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
3579 } 3580 }
3580 memcpy(request->ssids[i].ssid, nla_data(attr), 3581 memcpy(request->ssids[i].ssid, nla_data(attr),
3581 nla_len(attr)); 3582 nla_len(attr));
3582 request->ssids[i].ssid_len = nla_len(attr);
3583 i++; 3583 i++;
3584 } 3584 }
3585 } 3585 }