On Sun, Jan 05, 2014 at 04:17:36PM -0500, Dan LaManna wrote:
> @@ -1358,22 +1358,22 @@ static inline int is_same_network(struct ieee80211_network *src,
> * We treat all <hidden> with the same BSSID and channel
> * as one network
> */
> - return (((src->ssid_len == dst->ssid_len) || (ieee->iw_mode == IW_MODE_INFRA)) && /* YJ,mod, 080819,for hidden ap */
> + return ((src->ssid_len == dst->ssid_len) || (ieee->iw_mode == IW_MODE_INFRA)) && /* YJ,mod, 080819,for hidden ap */
> (src->channel == dst->channel) &&
> !memcmp(src->bssid, dst->bssid, ETH_ALEN) &&
> (!memcmp(src->ssid, dst->ssid, src->ssid_len) || (ieee->iw_mode == IW_MODE_INFRA)) && /* YJ,mod, 080819,for hidden ap */
> ((src->capability & WLAN_CAPABILITY_IBSS) ==
> (dst->capability & WLAN_CAPABILITY_IBSS)) &&
> ((src->capability & WLAN_CAPABILITY_BSS) ==
> - (dst->capability & WLAN_CAPABILITY_BSS)));
> + (dst->capability & WLAN_CAPABILITY_BSS));
> }
>
Break this up.
if (src->channel != dst->channel)
return 0;
if (memcmp(src->bssid, dst->bssid, ETH_ALEN) != 0)
return 0;
if (ieee->iw_mode == IW_MODE_INFRA) {
if (src->ssid_len != dst->ssid_len)
return 0;
if (memcmp(src->ssid, dst->ssid, src->ssid_len) != 0)
return 0;
}
if (src->capability & WLAN_CAPABILITY_IBSS !=
dst->capability & WLAN_CAPABILITY_IBSS)
return 0;
if (src->capability & WLAN_CAPABILITY_BSS !=
dst->capability & WLAN_CAPABILITY_BSS)
return 0;
return 1;
In the original code we don't verify that dst->ssid_len is valid if
ieee->iw_mode == IW_MODE_INFRA. That means there is a potential Oops
if we read too far in the memcmp(src->ssid, dst->ssid, src->ssid_len).
I haven't reviewed the callers so it may not be a real issue.
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
