* [PATCH stable] nl80211: fix check for valid SSID size in scan operations
[not found] <13073811693022@kroah.org>
@ 2011-06-06 19:30 ` Luciano Coelho
2011-06-06 19:35 ` Luciano Coelho
0 siblings, 1 reply; 2+ messages in thread
From: Luciano Coelho @ 2011-06-06 19:30 UTC (permalink / raw)
To: stable; +Cc: gregkh, linville, linux-wireless
In both trigger_scan and sched_scan operations, we were checking for
the SSID length before assigning the value correctly. Since the
memory was just kzalloc'ed, the check was always failing and SSID with
over 32 characters were allowed to go through.
This was causing a buffer overflow when copying the actual SSID to the
proper place.
This bug has been there since 2.6.29-rc4.
Backported from commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03.
Cc: stable@kernel.org
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
net/wireless/nl80211.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 2c70a1e..29a1ce1 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3239,12 +3239,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
i = 0;
if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
+ request->ssids[i].ssid_len = nla_len(attr);
if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
err = -EINVAL;
goto out_free;
}
memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
- request->ssids[i].ssid_len = nla_len(attr);
i++;
}
}
--
1.7.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH stable] nl80211: fix check for valid SSID size in scan operations
2011-06-06 19:30 ` [PATCH stable] nl80211: fix check for valid SSID size in scan operations Luciano Coelho
@ 2011-06-06 19:35 ` Luciano Coelho
0 siblings, 0 replies; 2+ messages in thread
From: Luciano Coelho @ 2011-06-06 19:35 UTC (permalink / raw)
To: stable; +Cc: gregkh, linville, linux-wireless
On Mon, 2011-06-06 at 22:30 +0300, Luciano Coelho wrote:
> In both trigger_scan and sched_scan operations, we were checking for
> the SSID length before assigning the value correctly. Since the
> memory was just kzalloc'ed, the check was always failing and SSID with
> over 32 characters were allowed to go through.
>
> This was causing a buffer overflow when copying the actual SSID to the
> proper place.
>
> This bug has been there since 2.6.29-rc4.
>
> Backported from commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03.
>
> Cc: stable@kernel.org
> Signed-off-by: Luciano Coelho <coelho@ti.com>
> Signed-off-by: John W. Linville <linville@tuxdriver.com>
> ---
FWIW, this patch applies cleanly on all stable kernels at least as far
back as 2.6.35, probably even earlier.
--
Cheers,
Luca.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-06-06 19:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <13073811693022@kroah.org>
2011-06-06 19:30 ` [PATCH stable] nl80211: fix check for valid SSID size in scan operations Luciano Coelho
2011-06-06 19:35 ` Luciano Coelho
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).