| Message ID | 1307388656-19240-1-git-send-email-coelho@ti.com (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
On Mon, 2011-06-06 at 22:30 +0300, Luciano Coelho wrote: > In both trigger_scan and sched_scan operations, we were checking for > the SSID length before assigning the value correctly. Since the > memory was just kzalloc'ed, the check was always failing and SSID with > over 32 characters were allowed to go through. > > This was causing a buffer overflow when copying the actual SSID to the > proper place. > > This bug has been there since 2.6.29-rc4. > > Backported from commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03. > > Cc: stable@kernel.org > Signed-off-by: Luciano Coelho <coelho@ti.com> > Signed-off-by: John W. Linville <linville@tuxdriver.com> > --- FWIW, this patch applies cleanly on all stable kernels at least as far back as 2.6.35, probably even earlier.
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 2c70a1e..29a1ce1 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -3239,12 +3239,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) i = 0; if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) { nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) { + request->ssids[i].ssid_len = nla_len(attr); if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) { err = -EINVAL; goto out_free; } memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr)); - request->ssids[i].ssid_len = nla_len(attr); i++; } }