If somebody sends an invalid beacon/probe response, that can trash the
whole BSS descriptor. The descriptor is, luckily, large enough so that
it cannot scribble past the end of it; it's well above 400 bytes long.
Signed-off-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxx [2.6.24-2.6.27, bug present in some form since driver was added (2.6.22)]
---
Not really tested for lack of hw.
John, this is part of the other patch I sent, but this one's
for 2.6.28.
The function there needs to be reviewed more, it seems to access
potentially invalid memory when an AP sends other, too short,
information elements.
--- a/drivers/net/wireless/libertas/scan.c
+++ b/drivers/net/wireless/libertas/scan.c
@@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_descriptor *bss,
switch (elem->id) {
case MFIE_TYPE_SSID:
- bss->ssid_len = elem->len;
- memcpy(bss->ssid, elem->data, elem->len);
+ bss->ssid_len = min_t(int, 32, elem->len);
+ memcpy(bss->ssid, elem->data, bss->ssid_len);
lbs_deb_scan("got SSID IE: '%s', len %u\n",
escape_essid(bss->ssid, bss->ssid_len),
bss->ssid_len);
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
