On Sun, Jun 15, 2008 at 7:46 PM, Joonwoo Park <joonwpark81@xxxxxxxxx> wrote:
> On Tue, May 27, 2008 at 08:41:00PM -0400, John W. Linville wrote:
>> On Tue, May 27, 2008 at 09:53:43AM -0400, Dan Williams wrote:
>>
>> > I've gotten maybe 1 or 2 requests for > 104/128-bit WEP key support for
>> > NM in 3 years. Nice to have, but I'm not sure it's worth the extra code
>> > and maintenance burden? Would be good to have somebody tell us what
>> > hardware (APs and cards) support this though.
>>
>> I'm inclined to think that it is _not_ worth the trouble for this
>> particular feature.
>>
>> John
>
> This patch limits wep key size to 128/104-bits.
> I hope you guys like this.
>
> Thanks,
>
> Joonwoo
>
> ---
> [PATCH] wireless: Limit wep key size to 128/104-bits
>
> This patch prevents overflow which is occured by invalid long wep key
> insertion
>
> $sudo iwconfig wlan0 enc AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> IP: [memcpy_c+0xb/0x20] memcpy_c+0xb/0x20
> PGD 13a590067 PUD 12e471067 PMD 0
> Oops: 0000 [1] PREEMPT SMP
> CPU 1
> ...
> Pid: 10, comm: events/1 Not tainted 2.6.26-rc2 #9
> ...
> Call Trace:
> [iwl4965:iwl4965_rx_scan_start_notif+0xb/0x20] ? :iwl4965:iwl4965_enqueue_hcmd+0x12b/0x220
> [hci_usb:init_module+0xe97/0x28cb0] :iwlcore:iwl_send_cmd_sync+0x67/0x290
> [save_trace+0x3f/0xb0] ? save_trace+0x3f/0xb0
> ...
>
> Signed-off-by: Joonwoo Park <joonwpark81@xxxxxxxxx>
> ---
> net/wireless/wext.c | 11 ++++++++++-
> 1 files changed, 10 insertions(+), 1 deletions(-)
>
> diff --git a/net/wireless/wext.c b/net/wireless/wext.c
> index 947188a..c8ef55b 100644
> --- a/net/wireless/wext.c
> +++ b/net/wireless/wext.c
> @@ -102,6 +102,8 @@
>
> #include <asm/uaccess.h> /* copy_to_user() */
>
> +#define KEY_SIZE_WEP104 13
> +
> /************************* GLOBAL VARIABLES *************************/
> /*
> * You should not use global variables, because of re-entrancy.
> @@ -740,8 +742,8 @@ static int ioctl_standard_call(struct net_device * dev,
> * for max space. Easier, and won't last long... */
> extra_size = descr->max_tokens * descr->token_size;
>
> - /* Check need for ESSID compatibility for WE < 21 */
> switch (cmd) {
> + /* Check need for ESSID compatibility for WE < 21 */
> case SIOCSIWESSID:
> case SIOCGIWESSID:
> case SIOCSIWNICKN:
> @@ -761,6 +763,13 @@ static int ioctl_standard_call(struct net_device * dev,
> essid_compat = 1;
> }
> break;
> +
> + /* Limit wep key size to 128/104-bits */
> + case SIOCSIWENCODE:
> + if (iwr->u.data.length > KEY_SIZE_WEP104)
> + return -EINVAL;
> + break;
> +
> default:
> break;
> }
> --
> 1.5.4.3
We've already posted a patch 'iwlwifi: add bad length check for WEP
keys' that fixes this for iwlwifi.
I believe that long keys still can be handled by software crypto. If
the key length is not supported driver returns error values
and we fail down to software crypto
John, our patch is probably 2.6.26 material. I didn't check it though
if if applies on wireless-2.6.git yet
Thanks
Tomas
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
